Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Java32.exe

Overview

General Information

Sample name:Java32.exe
Analysis ID:1583255
MD5:9664ad464838e6f6e2196a594ef5682f
SHA1:f975cdc29e519f08df38ff375b587b4db9ea676e
SHA256:9119d9e8d1a7078c637d5af9d09d5fce63c9fb300b47c08e580387a867f97a46
Tags:exeXWormuser-lontze7
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Java32.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\Java32.exe" MD5: 9664AD464838E6F6E2196A594EF5682F)
    • powershell.exe (PID: 1656 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5584 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java32.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Java32.exeJoeSecurity_XWormYara detected XWormJoe Security
    Java32.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Java32.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xd5da:$str01: $VB$Local_Port
      • 0xd694:$str02: $VB$Local_Host
      • 0xb19a:$str03: get_Jpeg
      • 0xb85e:$str04: get_ServicePack
      • 0xebec:$str05: Select * from AntivirusProduct
      • 0xfa03:$str06: PCRestart
      • 0xfa17:$str07: shutdown.exe /f /r /t 0
      • 0xfac9:$str08: StopReport
      • 0xfa9f:$str09: StopDDos
      • 0xfba1:$str10: sendPlugin
      • 0xfd2f:$str12: -ExecutionPolicy Bypass -File "
      • 0x1043d:$str13: Content-length: 5235
      Java32.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe6c8:$s6: VirtualBox
      • 0xe626:$s8: Win32_ComputerSystem
      • 0x10b4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10beb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10d00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10358:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\ProgramData\Java Update(32bit).exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\ProgramData\Java Update(32bit).exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\ProgramData\Java Update(32bit).exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xd5da:$str01: $VB$Local_Port
          • 0xd694:$str02: $VB$Local_Host
          • 0xb19a:$str03: get_Jpeg
          • 0xb85e:$str04: get_ServicePack
          • 0xebec:$str05: Select * from AntivirusProduct
          • 0xfa03:$str06: PCRestart
          • 0xfa17:$str07: shutdown.exe /f /r /t 0
          • 0xfac9:$str08: StopReport
          • 0xfa9f:$str09: StopDDos
          • 0xfba1:$str10: sendPlugin
          • 0xfd2f:$str12: -ExecutionPolicy Bypass -File "
          • 0x1043d:$str13: Content-length: 5235
          C:\ProgramData\Java Update(32bit).exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xe6c8:$s6: VirtualBox
          • 0xe626:$s8: Win32_ComputerSystem
          • 0x10b4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10beb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x10d00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10358:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xe4c8:$s6: VirtualBox
            • 0xe426:$s8: Win32_ComputerSystem
            • 0x1094e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x109eb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x10b00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x10158:$cnc4: POST / HTTP/1.1
            00000000.00000002.3280755045.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xf140:$s6: VirtualBox
                • 0xf09e:$s8: Win32_ComputerSystem
                • 0x115c6:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x11663:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x11778:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x10dd0:$cnc4: POST / HTTP/1.1
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.Java32.exe.b60000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.Java32.exe.b60000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.Java32.exe.b60000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                    • 0xd5da:$str01: $VB$Local_Port
                    • 0xd694:$str02: $VB$Local_Host
                    • 0xb19a:$str03: get_Jpeg
                    • 0xb85e:$str04: get_ServicePack
                    • 0xebec:$str05: Select * from AntivirusProduct
                    • 0xfa03:$str06: PCRestart
                    • 0xfa17:$str07: shutdown.exe /f /r /t 0
                    • 0xfac9:$str08: StopReport
                    • 0xfa9f:$str09: StopDDos
                    • 0xfba1:$str10: sendPlugin
                    • 0xfd2f:$str12: -ExecutionPolicy Bypass -File "
                    • 0x1043d:$str13: Content-length: 5235
                    0.0.Java32.exe.b60000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xe6c8:$s6: VirtualBox
                    • 0xe626:$s8: Win32_ComputerSystem
                    • 0x10b4e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x10beb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x10d00:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x10358:$cnc4: POST / HTTP/1.1
                    0.2.Java32.exe.12ee1a78.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      Click to see the 6 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Java32.exe", ParentImage: C:\Users\user\Desktop\Java32.exe, ParentProcessId: 6520, ParentProcessName: Java32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', ProcessId: 1656, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Java32.exe", ParentImage: C:\Users\user\Desktop\Java32.exe, ParentProcessId: 6520, ParentProcessName: Java32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', ProcessId: 1656, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Java32.exe", ParentImage: C:\Users\user\Desktop\Java32.exe, ParentProcessId: 6520, ParentProcessName: Java32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', ProcessId: 1656, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Java32.exe, ProcessId: 6520, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Java32.exe", ParentImage: C:\Users\user\Desktop\Java32.exe, ParentProcessId: 6520, ParentProcessName: Java32.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe', ProcessId: 1656, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Java32.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\ProgramData\Java Update(32bit).exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: Java32.exeMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.234"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.4"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\ProgramData\Java Update(32bit).exeReversingLabs: Detection: 76%
                      Multi AV Scanner detection for submitted file
                      Source: Java32.exeVirustotal: Detection: 77%Perma Link
                      Source: Java32.exeReversingLabs: Detection: 76%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\ProgramData\Java Update(32bit).exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Java32.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: Java32.exeString decryptor: 45.141.26.234
                      Source: Java32.exeString decryptor: 7000
                      Source: Java32.exeString decryptor: <123456789>
                      Source: Java32.exeString decryptor: <Xwormmm>
                      Source: Java32.exeString decryptor: XWorm V5.4
                      Source: Java32.exeString decryptor: USB.exe
                      Source: Java32.exeString decryptor: %ProgramData%
                      Source: Java32.exeString decryptor: Java Update(32bit).exe
                      Source: Java32.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Java32.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 45.141.26.234
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: Java32.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Java32.exe.b60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.5:49975 -> 45.141.26.234:7000
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.234
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: powershell.exe, 00000005.00000002.2210252051.000002B170703000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2587286696.000001ECF845E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                      Source: powershell.exe, 00000005.00000002.2210252051.000002B170703000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2587286696.000001ECF845E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                      Source: powershell.exe, 00000008.00000002.2376698872.0000014C6EDE0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                      Source: Java32.exe, Java Update(32bit).exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000002.00000002.2103080427.000001FDF5871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196994742.000002B168321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350753391.0000014C10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.2080562357.000001FDE5A29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1584D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: Java32.exe, 00000000.00000002.3280755045.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2080562357.000001FDE5801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1582B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFDC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.2080562357.000001FDE5A29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1584D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000005.00000002.2212728245.000002B170830000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2584026441.000001ECF8290000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                      Source: powershell.exe, 00000002.00000002.2080562357.000001FDE5801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1582B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFDC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000002.00000002.2107774025.000001FDFDD78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                      Source: powershell.exe, 00000002.00000002.2109287911.000001FDFE1AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.535A
                      Source: powershell.exe, 00000002.00000002.2103080427.000001FDF5871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196994742.000002B168321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350753391.0000014C10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Java32.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: Java32.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.Java32.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.0.Java32.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Java32.exe.12ee1a78.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.Java32.exe.12ee1a78.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                      Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F16AC20_2_00007FF848F16AC2
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F15D160_2_00007FF848F15D16
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F1108D0_2_00007FF848F1108D
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F11BD10_2_00007FF848F11BD1
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F144ED0_2_00007FF848F144ED
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FE33302_2_00007FF848FE3330
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848FE30E910_2_00007FF848FE30E9
                      Source: Java32.exe, 00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs Java32.exe
                      Source: Java32.exe, 00000000.00000000.2003964471.0000000000B76000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs Java32.exe
                      Source: Java32.exeBinary or memory string: OriginalFilenameXClient.exe4 vs Java32.exe
                      Source: Java32.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Java32.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: Java32.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.Java32.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.0.Java32.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Java32.exe.12ee1a78.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.Java32.exe.12ee1a78.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                      Source: C:\ProgramData\Java Update(32bit).exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: Java32.exe, zcR60cfRB95.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Java32.exe, ZjgOIt8bTP1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Java32.exe, ZjgOIt8bTP1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Java Update(32bit).exe.0.dr, zcR60cfRB95.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Java Update(32bit).exe.0.dr, ZjgOIt8bTP1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Java Update(32bit).exe.0.dr, ZjgOIt8bTP1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, zcR60cfRB95.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, ZjgOIt8bTP1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, ZjgOIt8bTP1.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Java32.exe, LBTp3YK8zXR.csBase64 encoded string: 'nsQkjmS8RhyKQwUQcoTZX2rfkO6TrxP1V9Rrxoim5azAyflDQNMzVLz4fE16J0xgtuimVEmAs0S5uYjC4wGriV2RHJfyanBR'
                      Source: Java32.exe, ZjgOIt8bTP1.csBase64 encoded string: 'iyfmYeyWTvNJ4YV9XzAQ4wRQqo0hUfP5kCSZYGK6E2f5oi1aY3z6KuCoykGY75AKcQsb2Dzgxi9y0fv6D2b1rcjM75DbCEbu', 'LaPm1y9PuIM5nSZg5ciyFGG1pVGVrxr8AxjjL0GrniiZJ1SxWPqRQdrMGcNPZ1KdWtPcKkP5FqhkGfKbwCw9NbnhWKMitfIW', 'Oc4WGFBP94cDQtThMKhI9AwyNpW9J94M2Ze6qEjxpVdcXVzd2Jr6HFlm5IgzAT503kFjbZf79d3NPmR3Z3Qb5k0jv1DBKDfG', 'Y4kI6JdgKS2LqHSpomv2vV9HJOW0U8Hf5od5DE2YkZJU8hPq6H1wXewajCsNye7HFgLcpjfhPNjFYkIO71D2FhYbkwH4kl69', 'Zcwy0NIetcKDIIMo2Ps599f7kuwjXVpPuJtXGx2JnXRG26r7ccp7Z7RNtfo22lEhDRdIKNoMSjbgwkwBdJUz2EGkK0jKX3E4', 'rMdSNnOZ7S974OH1AcNNC2x3cHIqqFHeOSEi77Za1oEocu5YqT6WZT77XIyVBiOeGLOGT5sNwP49wOHnxzuFrEJCxSheXezD', 'vRHgd879m9UGVacHBiu1NRSr7SjJPBPRrezdcfzI39RygQTCM3dIf1zvw2krgH6QgC1D0gzUFC3P20vlBRFs3fFRvZfc6vJr', 'KAA2mmCHsN6DMzgJnUMDOgQTZ0UZnGmOistDureECzm5gbbyvZMhxuKaQIKPWIaQE2UsTznu0O0bnY4bPqsv5G4Sz3UZ2Ty8'
                      Source: Java Update(32bit).exe.0.dr, LBTp3YK8zXR.csBase64 encoded string: 'nsQkjmS8RhyKQwUQcoTZX2rfkO6TrxP1V9Rrxoim5azAyflDQNMzVLz4fE16J0xgtuimVEmAs0S5uYjC4wGriV2RHJfyanBR'
                      Source: Java Update(32bit).exe.0.dr, ZjgOIt8bTP1.csBase64 encoded string: 'iyfmYeyWTvNJ4YV9XzAQ4wRQqo0hUfP5kCSZYGK6E2f5oi1aY3z6KuCoykGY75AKcQsb2Dzgxi9y0fv6D2b1rcjM75DbCEbu', 'LaPm1y9PuIM5nSZg5ciyFGG1pVGVrxr8AxjjL0GrniiZJ1SxWPqRQdrMGcNPZ1KdWtPcKkP5FqhkGfKbwCw9NbnhWKMitfIW', 'Oc4WGFBP94cDQtThMKhI9AwyNpW9J94M2Ze6qEjxpVdcXVzd2Jr6HFlm5IgzAT503kFjbZf79d3NPmR3Z3Qb5k0jv1DBKDfG', 'Y4kI6JdgKS2LqHSpomv2vV9HJOW0U8Hf5od5DE2YkZJU8hPq6H1wXewajCsNye7HFgLcpjfhPNjFYkIO71D2FhYbkwH4kl69', 'Zcwy0NIetcKDIIMo2Ps599f7kuwjXVpPuJtXGx2JnXRG26r7ccp7Z7RNtfo22lEhDRdIKNoMSjbgwkwBdJUz2EGkK0jKX3E4', 'rMdSNnOZ7S974OH1AcNNC2x3cHIqqFHeOSEi77Za1oEocu5YqT6WZT77XIyVBiOeGLOGT5sNwP49wOHnxzuFrEJCxSheXezD', 'vRHgd879m9UGVacHBiu1NRSr7SjJPBPRrezdcfzI39RygQTCM3dIf1zvw2krgH6QgC1D0gzUFC3P20vlBRFs3fFRvZfc6vJr', 'KAA2mmCHsN6DMzgJnUMDOgQTZ0UZnGmOistDureECzm5gbbyvZMhxuKaQIKPWIaQE2UsTznu0O0bnY4bPqsv5G4Sz3UZ2Ty8'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, LBTp3YK8zXR.csBase64 encoded string: 'nsQkjmS8RhyKQwUQcoTZX2rfkO6TrxP1V9Rrxoim5azAyflDQNMzVLz4fE16J0xgtuimVEmAs0S5uYjC4wGriV2RHJfyanBR'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, ZjgOIt8bTP1.csBase64 encoded string: 'iyfmYeyWTvNJ4YV9XzAQ4wRQqo0hUfP5kCSZYGK6E2f5oi1aY3z6KuCoykGY75AKcQsb2Dzgxi9y0fv6D2b1rcjM75DbCEbu', 'LaPm1y9PuIM5nSZg5ciyFGG1pVGVrxr8AxjjL0GrniiZJ1SxWPqRQdrMGcNPZ1KdWtPcKkP5FqhkGfKbwCw9NbnhWKMitfIW', 'Oc4WGFBP94cDQtThMKhI9AwyNpW9J94M2Ze6qEjxpVdcXVzd2Jr6HFlm5IgzAT503kFjbZf79d3NPmR3Z3Qb5k0jv1DBKDfG', 'Y4kI6JdgKS2LqHSpomv2vV9HJOW0U8Hf5od5DE2YkZJU8hPq6H1wXewajCsNye7HFgLcpjfhPNjFYkIO71D2FhYbkwH4kl69', 'Zcwy0NIetcKDIIMo2Ps599f7kuwjXVpPuJtXGx2JnXRG26r7ccp7Z7RNtfo22lEhDRdIKNoMSjbgwkwBdJUz2EGkK0jKX3E4', 'rMdSNnOZ7S974OH1AcNNC2x3cHIqqFHeOSEi77Za1oEocu5YqT6WZT77XIyVBiOeGLOGT5sNwP49wOHnxzuFrEJCxSheXezD', 'vRHgd879m9UGVacHBiu1NRSr7SjJPBPRrezdcfzI39RygQTCM3dIf1zvw2krgH6QgC1D0gzUFC3P20vlBRFs3fFRvZfc6vJr', 'KAA2mmCHsN6DMzgJnUMDOgQTZ0UZnGmOistDureECzm5gbbyvZMhxuKaQIKPWIaQE2UsTznu0O0bnY4bPqsv5G4Sz3UZ2Ty8'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Java32.exe, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Java32.exe, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Java Update(32bit).exe.0.dr, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Java Update(32bit).exe.0.dr, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@13/20@1/2
                      Source: C:\Users\user\Desktop\Java32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnkJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6480:120:WilError_03
                      Source: C:\Users\user\Desktop\Java32.exeMutant created: \Sessions\1\BaseNamedObjects\AxB15x9akOEycdV7
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5488:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_03
                      Source: C:\Users\user\Desktop\Java32.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: Java32.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Java32.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\Java32.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Java32.exeVirustotal: Detection: 77%
                      Source: Java32.exeReversingLabs: Detection: 76%
                      Source: C:\Users\user\Desktop\Java32.exeFile read: C:\Users\user\Desktop\Java32.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Java32.exe "C:\Users\user\Desktop\Java32.exe"
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java32.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java32.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\Desktop\Java32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Java Update(32bit).lnk.0.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\Java Update(32bit).exe
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Java32.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Java32.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: Java32.exe, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg._7Cir8VyCJoxFUAQMVz7Ujgh1OoLTn1k91NgO0AXuHqwxtMvUD2QCW4ihQO5ZDND7lv,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg.WwhlMAbVgKOLMf3gHRXzLJbc71otHVQgk48YCE8N7YSMxmxIfPKZPiGXFTeAK7jAeU,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg.G7qGcrmcglFRPDIo2Al5tiSoJzSPhiQhuFJxaPkFURJDEZBgaSGNnsVt0c84BJujCs,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg._4MOiw7wZaoa9OFVSNb3wHnS7XSd2PpOVnWOomVUuryoYN7pFuv0gvwS4yWSwwS5y6V,ZjgOIt8bTP1.R7fdu7cL0py()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Java32.exe, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[2],ZjgOIt8bTP1.I7icBfObOt0(Convert.FromBase64String(_5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Java32.exe, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Java Update(32bit).exe.0.dr, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg._7Cir8VyCJoxFUAQMVz7Ujgh1OoLTn1k91NgO0AXuHqwxtMvUD2QCW4ihQO5ZDND7lv,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg.WwhlMAbVgKOLMf3gHRXzLJbc71otHVQgk48YCE8N7YSMxmxIfPKZPiGXFTeAK7jAeU,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg.G7qGcrmcglFRPDIo2Al5tiSoJzSPhiQhuFJxaPkFURJDEZBgaSGNnsVt0c84BJujCs,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg._4MOiw7wZaoa9OFVSNb3wHnS7XSd2PpOVnWOomVUuryoYN7pFuv0gvwS4yWSwwS5y6V,ZjgOIt8bTP1.R7fdu7cL0py()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Java Update(32bit).exe.0.dr, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[2],ZjgOIt8bTP1.I7icBfObOt0(Convert.FromBase64String(_5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Java Update(32bit).exe.0.dr, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg._7Cir8VyCJoxFUAQMVz7Ujgh1OoLTn1k91NgO0AXuHqwxtMvUD2QCW4ihQO5ZDND7lv,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg.WwhlMAbVgKOLMf3gHRXzLJbc71otHVQgk48YCE8N7YSMxmxIfPKZPiGXFTeAK7jAeU,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg.G7qGcrmcglFRPDIo2Al5tiSoJzSPhiQhuFJxaPkFURJDEZBgaSGNnsVt0c84BJujCs,_9ZXL3YS6LLCjnonjUXc1PnvVh4UTrHpWg._4MOiw7wZaoa9OFVSNb3wHnS7XSd2PpOVnWOomVUuryoYN7pFuv0gvwS4yWSwwS5y6V,ZjgOIt8bTP1.R7fdu7cL0py()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[2],ZjgOIt8bTP1.I7icBfObOt0(Convert.FromBase64String(_5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _5K0gpmk0sb1tdfk89SXL0QnklxE0ouU8TOaff07FWXb8jpQFSEjPji7pEoXetCTMrE7PSeoE9173F9MqMbD[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: Java32.exe, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: Zc96rT8c18YY6h65e4JcxuoSPsbCmz305Lk37xFNPrIdd83R6c7 System.AppDomain.Load(byte[])
                      Source: Java32.exe, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: cP8zyekB0IgsOiDx733zJohbvZ6kmAN4loxRD3apu8KVEu3eNZIYtMgfLgoQFjinLaOaR3CWyVSu6t3SN4k System.AppDomain.Load(byte[])
                      Source: Java32.exe, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: cP8zyekB0IgsOiDx733zJohbvZ6kmAN4loxRD3apu8KVEu3eNZIYtMgfLgoQFjinLaOaR3CWyVSu6t3SN4k
                      Source: Java Update(32bit).exe.0.dr, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: Zc96rT8c18YY6h65e4JcxuoSPsbCmz305Lk37xFNPrIdd83R6c7 System.AppDomain.Load(byte[])
                      Source: Java Update(32bit).exe.0.dr, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: cP8zyekB0IgsOiDx733zJohbvZ6kmAN4loxRD3apu8KVEu3eNZIYtMgfLgoQFjinLaOaR3CWyVSu6t3SN4k System.AppDomain.Load(byte[])
                      Source: Java Update(32bit).exe.0.dr, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: cP8zyekB0IgsOiDx733zJohbvZ6kmAN4loxRD3apu8KVEu3eNZIYtMgfLgoQFjinLaOaR3CWyVSu6t3SN4k
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: Zc96rT8c18YY6h65e4JcxuoSPsbCmz305Lk37xFNPrIdd83R6c7 System.AppDomain.Load(byte[])
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: cP8zyekB0IgsOiDx733zJohbvZ6kmAN4loxRD3apu8KVEu3eNZIYtMgfLgoQFjinLaOaR3CWyVSu6t3SN4k System.AppDomain.Load(byte[])
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.cs.Net Code: cP8zyekB0IgsOiDx733zJohbvZ6kmAN4loxRD3apu8KVEu3eNZIYtMgfLgoQFjinLaOaR3CWyVSu6t3SN4k
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F19990 push eax; ret 0_2_00007FF848F199B3
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F178FB push ebx; retf 0_2_00007FF848F1796A
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F19980 push eax; ret 0_2_00007FF848F199B3
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F1789D push ebx; retf 0_2_00007FF848F1796A
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848DFD2A5 pushad ; iretd 2_2_00007FF848DFD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F1B9FA push E85A11D7h; ret 2_2_00007FF848F1BAF9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F10998 push E95A12D0h; ret 2_2_00007FF848F109C9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F11090 push E85EDC0Dh; ret 2_2_00007FF848F110F9
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FE2316 push 8B485F94h; iretd 2_2_00007FF848FE231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E0D2A5 pushad ; iretd 5_2_00007FF848E0D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FF2316 push 8B485F93h; iretd 5_2_00007FF848FF231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E1D2A5 pushad ; iretd 8_2_00007FF848E1D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF849002316 push 8B485F92h; iretd 8_2_00007FF84900231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848DFD2A5 pushad ; iretd 10_2_00007FF848DFD2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F1C2C5 push ebx; iretd 10_2_00007FF848F1C2DA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848FE2316 push 8B485F94h; iretd 10_2_00007FF848FE231B
                      Source: Java32.exe, LBTp3YK8zXR.csHigh entropy of concatenated method names: 'WtTqB1JZ7dI', 'u0qkALmhJ2a', 'gt7uJ6VPmEw', 'GDrf2DREPbYJjC8PudQ0nzUkxjw2JItFUqBiTHojKa750ic0wAA2i0e4xpGiUb9p3jSbP2TkTLbrcKY28ewdgt5BpGaYdMD7', 'gPNfbGMrbdtaOOT7Bijxh9DVA20XOWK5NdTex4GF7IT30hNR6VyQkyBYmYJYDzeL6p9nvb4QfoHQJgBdiyYqfZo9rZrTWBZM', 'EQoJk7UvVdxRWj7IUnrmFEu5TdCKPkKYEbZhL2Q14ayBxFTswEBj793OnZHfuCV4jX427JUXVPnJN8sROFyK868yHLMznN4r', 'tpqzcs0whoSf6iY9E4qXXoMGAI7GL4VZlMHbOUhBa4nMezlBZkQvddQIkySNJKQzXkQh6R6tWpkqVwLQpaxlkuQOQEAONvyl', 'CQVyeqMscg7TcNpE4D4OrXXnwMLw7yqDQ885y5', 'Sfuc3X9Z6BxBuBDkqPeLRDuuBbjAahv9PXDt0o', 'dyT6bp1QAe3HBIC0L21LCQ1aLwk0LfnM94TZp6'
                      Source: Java32.exe, 2AKpcC5Z2bURvKt9uMpYYZhoU49gC6WtNJNIn7adr9RU2vHsNBvYbJ3EHaRzPtWURQxvWy0d99fApARzJPaxfNkw9XE.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'KbPoBucKIpFy4zrdEOZkfAyA3SrI', 'KqurzA55EmbdbAsyi4VLSJcuFxwr', 'T3DZJnpGpBGB6qYLVxucEysSmiL6', 'Ol6qO6T3OdhFmTsEXPepw2vJKT8f'
                      Source: Java32.exe, XTJMjCSnnVl.csHigh entropy of concatenated method names: 'xahQwM1ntDE', '_8gw5EX1ocEi', 'J6H2fpI3TsZ', 'odHvo6bN9R9', 'LGHnnGyqmdnt46LFmiBqY', 'PHaC6qgnqeGxrnLQdJMFJ', '_0T0ZLSQl2EGlCSMuarP45', 'wN0MsdZv48Fm7sb0R9Klb', 'BOilHbLzBrQq5e2BAqW7h', 'MznZpvxKycDqVu2Qthf9u'
                      Source: Java32.exe, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.csHigh entropy of concatenated method names: 'NUqA7mJDqid0VDivE5WLXqQ54Qqi34VO4vKm1wCoCf9WQkuieQw', 'Zc96rT8c18YY6h65e4JcxuoSPsbCmz305Lk37xFNPrIdd83R6c7', 'FdvevIq6ilGjcYIQ1rc0WEjPY2jcXJttB7azvjlS9eFCMFxoUkL', '_1MZFNV4CvKDmX0ymfA5ZXrKmrz6czfWKSg9c1G8FHtcExggx7UZ', 'jzYfHZMnOA6tjb6gzcPbfeQl7FIrHi4xzTobTqIvMql8en11xFp', 'P9Hz3A62ZCPRorFvJkWNd0tpQnHmPbDYMiLUS1UZK0vF2to2ZOXCTH7scrWvbmfdGT7xVCcR3M2VIeo4FhU', 'mHTgoQsNrLYUYGPpXa5NuH4q2GgEsCUslEaqyXyA3E6jPDZUU9BviIdrUJRs9XsEqMoTrIf0qJsyzLiTJo2', 'b6wjHf0Rg1mLAbFv0Pegz0ktw132BIGCZJEpF5thYjwZjcEC0cptDxw90WWnmPz5b7XYyJo2KYrxvaJ9unm', 'Oiuvdu4K4t87SN9opvxdrxZrDUbPxWM3JHJbFu11BY8PwrJfb4fybBMZyg64E0RemiApgIaG1ZpWeMeQg1G', 'zNG7ed4s53WuUzRs105yx6UDv6CaWnybb4jVGBg3cjbg9nd7Z58zXDEwifITm61lrN4HWyiQbzVkH6dWPiv'
                      Source: Java32.exe, R2Vw38GeWoQxhB7YZMpUVZTRVm1YmgKxOBgtRc1PPm2HHOMzmnRE6zzdei8Z0B9itg14hLJavf6baUPLIgs.csHigh entropy of concatenated method names: 'iwC6oHNFS6s8VqpXDqE6UDNMQ76ZWBYrS8VpRX054JKOCAXfKyJFh05peQxaKKqP70hJUu0W1c3s4L0BNtV', 'UhNAlIFH5RugKPrTvzviu', 'pDtgkFJfQjKm0RRw5lcwO', 'IqGCXv8EuXPympjMprVz8', 'O0MpsjAWRS0vBwZ6wBHX3'
                      Source: Java32.exe, ZjgOIt8bTP1.csHigh entropy of concatenated method names: 'aucr7ZkA4xw', '_94MeGq5zstj', 'iNwykl13991', 'eA3ew7dTzTe', 'ziHWhSkB3W1', 'fLcn2O2HckP', 'Yie3uoOK8zw', 'yPcrDZRIb8o', '_6k7Vbrj5xnd', 'MjaxH5sQfiw'
                      Source: Java32.exe, 4rh9XCbhev68ifqwiI1JPsN5n2rAZX4JuNpVEyYbSt7s8HBGHcbm1xUD3NOy2HXKzemTVUwUg5k2taxMpn2.csHigh entropy of concatenated method names: '_7Lr2qqFQC0rR3jNf2BCDmLCF7or2eH5XYkYgGLSmpk2BWEcEEN64r44P2tOHWW6sHVeqi', 'gZOrqgy03YweFXdq571UtOhj3G582LzPu4obGSiPYMZZQJLUOO89iBXf2e43uipsRHiN4', 'w0S1zwdqEbG11PcNLBA0RaPjGyv82Sgvp7ovlDK6FaXVLSQUhOZX8OGS1SQUjnwkuCdrU', 'SFy9o7wCVquiB3vtXhMGRpSLJ8cYbTp7eey5ApiMyO1eLsccmIrBQM18gX1HvGCZlQ8uV', 'I9hTFfbmGamAi3N2vHdWhs7P2jnMLQDoyZgZxMz7gp9cB8JkpofjgFmDzuNrPRlb1CCFm', 'S2lbC4trDDKIes0wxZk9DcUc0g3xgH7YyD0fGY2GmRbWM9RkuHeX9BFB2KenZsPMV8S0s', 'IiofO32JXc6yolA9Fk21lIrmZgYmlflsky1cottq2xiIBZvngbKgdNrSHeA8sk2CMb1zJ', 'SQTEwrx8ZKKEyZfz1t8DWPXceIOnCGrR6Roe5W1rMkwAHwK9qw21hkKA5Ny0EbOFMFLvQ', '_7ybMLsyROvMdgJAReuO52pDr2KUMbAGW91ggTCmzlZb0lvx95yDqcqwoBvVZwWCLulfHn', 'ERvOF66yYsiFbr0Lpbdqd1lqXcO11VupCFpHMhecq3G8f3Aoa12RKa17bXRntpWmDCAQl'
                      Source: Java32.exe, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csHigh entropy of concatenated method names: '_9AQc4sjeen1iLd2tQkbiIaiHm2TlAi8zBnM8GGqe3tANTI1rs7d', 'h9oOLTKe8cPpdt7TjJTqUyqJVYnn5kSbjKcjgvqpSVaM8HUK334', '_8OMUxxCcLLv9CGUCXXkNQ4ddAaHWmIV6gyr9feY9pUGebr2KzNy', 'qHsZCO2RB37VHlemrCuR8xeQMFCfqE0JgTXuRTANy75RTIjEJXR', 'CJ4ahdJwNRotqv8eWCYv9gDbkyKoxPsS3KHLm9X9reLe4osDqR5', 'wnJ6g2IhCiEBIsyRAYC87R9Ju0kxQKpKUa1GMZeiR2R2NzfVIis', 'yhmNxKiK2d9G8O4rsur2BYe3pJVauFAZEBNES6gIrGCEJcSR1Yq', 'qXD0NKzvOXB1ylPaHKFwJ1pUqQHzMlNUhU5LyWysQ5w0K9OdRKr', 's68uMIIgTS6ICBr6AIAQLzfQewF7jj0aYvaWvw7hepN0XczN5Es', 'VEfyrR2CwFBej6gsgR6hg8qWt53et5zL2gzuRIj88vCyandwmWl'
                      Source: Java32.exe, MwyMYrB7y8ul081GLk0N2YqRVdXS53fNhilCcw2m5Lg6CxJf6PgkdwE4agrx6Mi5bA.csHigh entropy of concatenated method names: 'DMjU3qEuEyTTwKkQ6JYLvmMYI8GsCc4nIQcWnGhN1UZ4sZK9yljUbhi38eL2rAd8p6', 'aX8yKa0LTsudAMA7bGRhfxgW0Qx6RUGDUydAlrgYwEeSZdzA3NLHpmv3FYP71YBBU0', 'Elyw5OOv9ZXV8oOp8pSOqWlSiL7qZQ8uWUYEYrYldYzlY85fbFz73RfidvVqqdm5CB', 'cHhMprBcdBTBtLkeqip6GR8m9WKWlVtWYGPFjwWJhHbC6t1Z9xM5U1nJryeMadzGAH', 'KvAHq2S6BCShrEXrFzfZYr39RUV2thBF9orP8JM8B4xEy168hFdJWp8KHqJLQNRA4B', '_7cOLdM31gx0ByM2jh9BsouCr96MhoheFYdBO3YtWFAu9CklRw1Bi1HU0Ag9FqS0Ouo', 'NonlJdIaLlEpZYagY6BcjSgkNRRf5N6BdlWpYl4KvWd6OJ6WB5f6q3iQ2LMCixDY1k', '_4EWbizpjWvcu6D7T7pouFB2xDKxTaC0ulntOjelFfhVfHqmVA5OBkCMTge4a30ocZP', 'HeWF3BQD4bfTmYfhMI5tu3rYw1aAIADLhyNE8e7ShXJUOZ0uZ8Snlj7wgkANB1fZUP', 'CSGCTaWDTUfPDJoL32Z5Z5nOzWmNuq7HHy0CMmTQKYLn5pfRqsk'
                      Source: Java Update(32bit).exe.0.dr, LBTp3YK8zXR.csHigh entropy of concatenated method names: 'WtTqB1JZ7dI', 'u0qkALmhJ2a', 'gt7uJ6VPmEw', 'GDrf2DREPbYJjC8PudQ0nzUkxjw2JItFUqBiTHojKa750ic0wAA2i0e4xpGiUb9p3jSbP2TkTLbrcKY28ewdgt5BpGaYdMD7', 'gPNfbGMrbdtaOOT7Bijxh9DVA20XOWK5NdTex4GF7IT30hNR6VyQkyBYmYJYDzeL6p9nvb4QfoHQJgBdiyYqfZo9rZrTWBZM', 'EQoJk7UvVdxRWj7IUnrmFEu5TdCKPkKYEbZhL2Q14ayBxFTswEBj793OnZHfuCV4jX427JUXVPnJN8sROFyK868yHLMznN4r', 'tpqzcs0whoSf6iY9E4qXXoMGAI7GL4VZlMHbOUhBa4nMezlBZkQvddQIkySNJKQzXkQh6R6tWpkqVwLQpaxlkuQOQEAONvyl', 'CQVyeqMscg7TcNpE4D4OrXXnwMLw7yqDQ885y5', 'Sfuc3X9Z6BxBuBDkqPeLRDuuBbjAahv9PXDt0o', 'dyT6bp1QAe3HBIC0L21LCQ1aLwk0LfnM94TZp6'
                      Source: Java Update(32bit).exe.0.dr, 2AKpcC5Z2bURvKt9uMpYYZhoU49gC6WtNJNIn7adr9RU2vHsNBvYbJ3EHaRzPtWURQxvWy0d99fApARzJPaxfNkw9XE.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'KbPoBucKIpFy4zrdEOZkfAyA3SrI', 'KqurzA55EmbdbAsyi4VLSJcuFxwr', 'T3DZJnpGpBGB6qYLVxucEysSmiL6', 'Ol6qO6T3OdhFmTsEXPepw2vJKT8f'
                      Source: Java Update(32bit).exe.0.dr, XTJMjCSnnVl.csHigh entropy of concatenated method names: 'xahQwM1ntDE', '_8gw5EX1ocEi', 'J6H2fpI3TsZ', 'odHvo6bN9R9', 'LGHnnGyqmdnt46LFmiBqY', 'PHaC6qgnqeGxrnLQdJMFJ', '_0T0ZLSQl2EGlCSMuarP45', 'wN0MsdZv48Fm7sb0R9Klb', 'BOilHbLzBrQq5e2BAqW7h', 'MznZpvxKycDqVu2Qthf9u'
                      Source: Java Update(32bit).exe.0.dr, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.csHigh entropy of concatenated method names: 'NUqA7mJDqid0VDivE5WLXqQ54Qqi34VO4vKm1wCoCf9WQkuieQw', 'Zc96rT8c18YY6h65e4JcxuoSPsbCmz305Lk37xFNPrIdd83R6c7', 'FdvevIq6ilGjcYIQ1rc0WEjPY2jcXJttB7azvjlS9eFCMFxoUkL', '_1MZFNV4CvKDmX0ymfA5ZXrKmrz6czfWKSg9c1G8FHtcExggx7UZ', 'jzYfHZMnOA6tjb6gzcPbfeQl7FIrHi4xzTobTqIvMql8en11xFp', 'P9Hz3A62ZCPRorFvJkWNd0tpQnHmPbDYMiLUS1UZK0vF2to2ZOXCTH7scrWvbmfdGT7xVCcR3M2VIeo4FhU', 'mHTgoQsNrLYUYGPpXa5NuH4q2GgEsCUslEaqyXyA3E6jPDZUU9BviIdrUJRs9XsEqMoTrIf0qJsyzLiTJo2', 'b6wjHf0Rg1mLAbFv0Pegz0ktw132BIGCZJEpF5thYjwZjcEC0cptDxw90WWnmPz5b7XYyJo2KYrxvaJ9unm', 'Oiuvdu4K4t87SN9opvxdrxZrDUbPxWM3JHJbFu11BY8PwrJfb4fybBMZyg64E0RemiApgIaG1ZpWeMeQg1G', 'zNG7ed4s53WuUzRs105yx6UDv6CaWnybb4jVGBg3cjbg9nd7Z58zXDEwifITm61lrN4HWyiQbzVkH6dWPiv'
                      Source: Java Update(32bit).exe.0.dr, R2Vw38GeWoQxhB7YZMpUVZTRVm1YmgKxOBgtRc1PPm2HHOMzmnRE6zzdei8Z0B9itg14hLJavf6baUPLIgs.csHigh entropy of concatenated method names: 'iwC6oHNFS6s8VqpXDqE6UDNMQ76ZWBYrS8VpRX054JKOCAXfKyJFh05peQxaKKqP70hJUu0W1c3s4L0BNtV', 'UhNAlIFH5RugKPrTvzviu', 'pDtgkFJfQjKm0RRw5lcwO', 'IqGCXv8EuXPympjMprVz8', 'O0MpsjAWRS0vBwZ6wBHX3'
                      Source: Java Update(32bit).exe.0.dr, ZjgOIt8bTP1.csHigh entropy of concatenated method names: 'aucr7ZkA4xw', '_94MeGq5zstj', 'iNwykl13991', 'eA3ew7dTzTe', 'ziHWhSkB3W1', 'fLcn2O2HckP', 'Yie3uoOK8zw', 'yPcrDZRIb8o', '_6k7Vbrj5xnd', 'MjaxH5sQfiw'
                      Source: Java Update(32bit).exe.0.dr, 4rh9XCbhev68ifqwiI1JPsN5n2rAZX4JuNpVEyYbSt7s8HBGHcbm1xUD3NOy2HXKzemTVUwUg5k2taxMpn2.csHigh entropy of concatenated method names: '_7Lr2qqFQC0rR3jNf2BCDmLCF7or2eH5XYkYgGLSmpk2BWEcEEN64r44P2tOHWW6sHVeqi', 'gZOrqgy03YweFXdq571UtOhj3G582LzPu4obGSiPYMZZQJLUOO89iBXf2e43uipsRHiN4', 'w0S1zwdqEbG11PcNLBA0RaPjGyv82Sgvp7ovlDK6FaXVLSQUhOZX8OGS1SQUjnwkuCdrU', 'SFy9o7wCVquiB3vtXhMGRpSLJ8cYbTp7eey5ApiMyO1eLsccmIrBQM18gX1HvGCZlQ8uV', 'I9hTFfbmGamAi3N2vHdWhs7P2jnMLQDoyZgZxMz7gp9cB8JkpofjgFmDzuNrPRlb1CCFm', 'S2lbC4trDDKIes0wxZk9DcUc0g3xgH7YyD0fGY2GmRbWM9RkuHeX9BFB2KenZsPMV8S0s', 'IiofO32JXc6yolA9Fk21lIrmZgYmlflsky1cottq2xiIBZvngbKgdNrSHeA8sk2CMb1zJ', 'SQTEwrx8ZKKEyZfz1t8DWPXceIOnCGrR6Roe5W1rMkwAHwK9qw21hkKA5Ny0EbOFMFLvQ', '_7ybMLsyROvMdgJAReuO52pDr2KUMbAGW91ggTCmzlZb0lvx95yDqcqwoBvVZwWCLulfHn', 'ERvOF66yYsiFbr0Lpbdqd1lqXcO11VupCFpHMhecq3G8f3Aoa12RKa17bXRntpWmDCAQl'
                      Source: Java Update(32bit).exe.0.dr, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csHigh entropy of concatenated method names: '_9AQc4sjeen1iLd2tQkbiIaiHm2TlAi8zBnM8GGqe3tANTI1rs7d', 'h9oOLTKe8cPpdt7TjJTqUyqJVYnn5kSbjKcjgvqpSVaM8HUK334', '_8OMUxxCcLLv9CGUCXXkNQ4ddAaHWmIV6gyr9feY9pUGebr2KzNy', 'qHsZCO2RB37VHlemrCuR8xeQMFCfqE0JgTXuRTANy75RTIjEJXR', 'CJ4ahdJwNRotqv8eWCYv9gDbkyKoxPsS3KHLm9X9reLe4osDqR5', 'wnJ6g2IhCiEBIsyRAYC87R9Ju0kxQKpKUa1GMZeiR2R2NzfVIis', 'yhmNxKiK2d9G8O4rsur2BYe3pJVauFAZEBNES6gIrGCEJcSR1Yq', 'qXD0NKzvOXB1ylPaHKFwJ1pUqQHzMlNUhU5LyWysQ5w0K9OdRKr', 's68uMIIgTS6ICBr6AIAQLzfQewF7jj0aYvaWvw7hepN0XczN5Es', 'VEfyrR2CwFBej6gsgR6hg8qWt53et5zL2gzuRIj88vCyandwmWl'
                      Source: Java Update(32bit).exe.0.dr, MwyMYrB7y8ul081GLk0N2YqRVdXS53fNhilCcw2m5Lg6CxJf6PgkdwE4agrx6Mi5bA.csHigh entropy of concatenated method names: 'DMjU3qEuEyTTwKkQ6JYLvmMYI8GsCc4nIQcWnGhN1UZ4sZK9yljUbhi38eL2rAd8p6', 'aX8yKa0LTsudAMA7bGRhfxgW0Qx6RUGDUydAlrgYwEeSZdzA3NLHpmv3FYP71YBBU0', 'Elyw5OOv9ZXV8oOp8pSOqWlSiL7qZQ8uWUYEYrYldYzlY85fbFz73RfidvVqqdm5CB', 'cHhMprBcdBTBtLkeqip6GR8m9WKWlVtWYGPFjwWJhHbC6t1Z9xM5U1nJryeMadzGAH', 'KvAHq2S6BCShrEXrFzfZYr39RUV2thBF9orP8JM8B4xEy168hFdJWp8KHqJLQNRA4B', '_7cOLdM31gx0ByM2jh9BsouCr96MhoheFYdBO3YtWFAu9CklRw1Bi1HU0Ag9FqS0Ouo', 'NonlJdIaLlEpZYagY6BcjSgkNRRf5N6BdlWpYl4KvWd6OJ6WB5f6q3iQ2LMCixDY1k', '_4EWbizpjWvcu6D7T7pouFB2xDKxTaC0ulntOjelFfhVfHqmVA5OBkCMTge4a30ocZP', 'HeWF3BQD4bfTmYfhMI5tu3rYw1aAIADLhyNE8e7ShXJUOZ0uZ8Snlj7wgkANB1fZUP', 'CSGCTaWDTUfPDJoL32Z5Z5nOzWmNuq7HHy0CMmTQKYLn5pfRqsk'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, LBTp3YK8zXR.csHigh entropy of concatenated method names: 'WtTqB1JZ7dI', 'u0qkALmhJ2a', 'gt7uJ6VPmEw', 'GDrf2DREPbYJjC8PudQ0nzUkxjw2JItFUqBiTHojKa750ic0wAA2i0e4xpGiUb9p3jSbP2TkTLbrcKY28ewdgt5BpGaYdMD7', 'gPNfbGMrbdtaOOT7Bijxh9DVA20XOWK5NdTex4GF7IT30hNR6VyQkyBYmYJYDzeL6p9nvb4QfoHQJgBdiyYqfZo9rZrTWBZM', 'EQoJk7UvVdxRWj7IUnrmFEu5TdCKPkKYEbZhL2Q14ayBxFTswEBj793OnZHfuCV4jX427JUXVPnJN8sROFyK868yHLMznN4r', 'tpqzcs0whoSf6iY9E4qXXoMGAI7GL4VZlMHbOUhBa4nMezlBZkQvddQIkySNJKQzXkQh6R6tWpkqVwLQpaxlkuQOQEAONvyl', 'CQVyeqMscg7TcNpE4D4OrXXnwMLw7yqDQ885y5', 'Sfuc3X9Z6BxBuBDkqPeLRDuuBbjAahv9PXDt0o', 'dyT6bp1QAe3HBIC0L21LCQ1aLwk0LfnM94TZp6'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 2AKpcC5Z2bURvKt9uMpYYZhoU49gC6WtNJNIn7adr9RU2vHsNBvYbJ3EHaRzPtWURQxvWy0d99fApARzJPaxfNkw9XE.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'KbPoBucKIpFy4zrdEOZkfAyA3SrI', 'KqurzA55EmbdbAsyi4VLSJcuFxwr', 'T3DZJnpGpBGB6qYLVxucEysSmiL6', 'Ol6qO6T3OdhFmTsEXPepw2vJKT8f'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, XTJMjCSnnVl.csHigh entropy of concatenated method names: 'xahQwM1ntDE', '_8gw5EX1ocEi', 'J6H2fpI3TsZ', 'odHvo6bN9R9', 'LGHnnGyqmdnt46LFmiBqY', 'PHaC6qgnqeGxrnLQdJMFJ', '_0T0ZLSQl2EGlCSMuarP45', 'wN0MsdZv48Fm7sb0R9Klb', 'BOilHbLzBrQq5e2BAqW7h', 'MznZpvxKycDqVu2Qthf9u'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 5XgDzgZ7pD82UsfRsIA20ebEnuDJ9iIMzK4hCkrZx4HudJQSGlw.csHigh entropy of concatenated method names: 'NUqA7mJDqid0VDivE5WLXqQ54Qqi34VO4vKm1wCoCf9WQkuieQw', 'Zc96rT8c18YY6h65e4JcxuoSPsbCmz305Lk37xFNPrIdd83R6c7', 'FdvevIq6ilGjcYIQ1rc0WEjPY2jcXJttB7azvjlS9eFCMFxoUkL', '_1MZFNV4CvKDmX0ymfA5ZXrKmrz6czfWKSg9c1G8FHtcExggx7UZ', 'jzYfHZMnOA6tjb6gzcPbfeQl7FIrHi4xzTobTqIvMql8en11xFp', 'P9Hz3A62ZCPRorFvJkWNd0tpQnHmPbDYMiLUS1UZK0vF2to2ZOXCTH7scrWvbmfdGT7xVCcR3M2VIeo4FhU', 'mHTgoQsNrLYUYGPpXa5NuH4q2GgEsCUslEaqyXyA3E6jPDZUU9BviIdrUJRs9XsEqMoTrIf0qJsyzLiTJo2', 'b6wjHf0Rg1mLAbFv0Pegz0ktw132BIGCZJEpF5thYjwZjcEC0cptDxw90WWnmPz5b7XYyJo2KYrxvaJ9unm', 'Oiuvdu4K4t87SN9opvxdrxZrDUbPxWM3JHJbFu11BY8PwrJfb4fybBMZyg64E0RemiApgIaG1ZpWeMeQg1G', 'zNG7ed4s53WuUzRs105yx6UDv6CaWnybb4jVGBg3cjbg9nd7Z58zXDEwifITm61lrN4HWyiQbzVkH6dWPiv'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, R2Vw38GeWoQxhB7YZMpUVZTRVm1YmgKxOBgtRc1PPm2HHOMzmnRE6zzdei8Z0B9itg14hLJavf6baUPLIgs.csHigh entropy of concatenated method names: 'iwC6oHNFS6s8VqpXDqE6UDNMQ76ZWBYrS8VpRX054JKOCAXfKyJFh05peQxaKKqP70hJUu0W1c3s4L0BNtV', 'UhNAlIFH5RugKPrTvzviu', 'pDtgkFJfQjKm0RRw5lcwO', 'IqGCXv8EuXPympjMprVz8', 'O0MpsjAWRS0vBwZ6wBHX3'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, ZjgOIt8bTP1.csHigh entropy of concatenated method names: 'aucr7ZkA4xw', '_94MeGq5zstj', 'iNwykl13991', 'eA3ew7dTzTe', 'ziHWhSkB3W1', 'fLcn2O2HckP', 'Yie3uoOK8zw', 'yPcrDZRIb8o', '_6k7Vbrj5xnd', 'MjaxH5sQfiw'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, 4rh9XCbhev68ifqwiI1JPsN5n2rAZX4JuNpVEyYbSt7s8HBGHcbm1xUD3NOy2HXKzemTVUwUg5k2taxMpn2.csHigh entropy of concatenated method names: '_7Lr2qqFQC0rR3jNf2BCDmLCF7or2eH5XYkYgGLSmpk2BWEcEEN64r44P2tOHWW6sHVeqi', 'gZOrqgy03YweFXdq571UtOhj3G582LzPu4obGSiPYMZZQJLUOO89iBXf2e43uipsRHiN4', 'w0S1zwdqEbG11PcNLBA0RaPjGyv82Sgvp7ovlDK6FaXVLSQUhOZX8OGS1SQUjnwkuCdrU', 'SFy9o7wCVquiB3vtXhMGRpSLJ8cYbTp7eey5ApiMyO1eLsccmIrBQM18gX1HvGCZlQ8uV', 'I9hTFfbmGamAi3N2vHdWhs7P2jnMLQDoyZgZxMz7gp9cB8JkpofjgFmDzuNrPRlb1CCFm', 'S2lbC4trDDKIes0wxZk9DcUc0g3xgH7YyD0fGY2GmRbWM9RkuHeX9BFB2KenZsPMV8S0s', 'IiofO32JXc6yolA9Fk21lIrmZgYmlflsky1cottq2xiIBZvngbKgdNrSHeA8sk2CMb1zJ', 'SQTEwrx8ZKKEyZfz1t8DWPXceIOnCGrR6Roe5W1rMkwAHwK9qw21hkKA5Ny0EbOFMFLvQ', '_7ybMLsyROvMdgJAReuO52pDr2KUMbAGW91ggTCmzlZb0lvx95yDqcqwoBvVZwWCLulfHn', 'ERvOF66yYsiFbr0Lpbdqd1lqXcO11VupCFpHMhecq3G8f3Aoa12RKa17bXRntpWmDCAQl'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, tZ6oft7BzSb4AfcJ9HE1ARiYZ6GxZE8r9pfmFUl7orHhqkVaHLN.csHigh entropy of concatenated method names: '_9AQc4sjeen1iLd2tQkbiIaiHm2TlAi8zBnM8GGqe3tANTI1rs7d', 'h9oOLTKe8cPpdt7TjJTqUyqJVYnn5kSbjKcjgvqpSVaM8HUK334', '_8OMUxxCcLLv9CGUCXXkNQ4ddAaHWmIV6gyr9feY9pUGebr2KzNy', 'qHsZCO2RB37VHlemrCuR8xeQMFCfqE0JgTXuRTANy75RTIjEJXR', 'CJ4ahdJwNRotqv8eWCYv9gDbkyKoxPsS3KHLm9X9reLe4osDqR5', 'wnJ6g2IhCiEBIsyRAYC87R9Ju0kxQKpKUa1GMZeiR2R2NzfVIis', 'yhmNxKiK2d9G8O4rsur2BYe3pJVauFAZEBNES6gIrGCEJcSR1Yq', 'qXD0NKzvOXB1ylPaHKFwJ1pUqQHzMlNUhU5LyWysQ5w0K9OdRKr', 's68uMIIgTS6ICBr6AIAQLzfQewF7jj0aYvaWvw7hepN0XczN5Es', 'VEfyrR2CwFBej6gsgR6hg8qWt53et5zL2gzuRIj88vCyandwmWl'
                      Source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, MwyMYrB7y8ul081GLk0N2YqRVdXS53fNhilCcw2m5Lg6CxJf6PgkdwE4agrx6Mi5bA.csHigh entropy of concatenated method names: 'DMjU3qEuEyTTwKkQ6JYLvmMYI8GsCc4nIQcWnGhN1UZ4sZK9yljUbhi38eL2rAd8p6', 'aX8yKa0LTsudAMA7bGRhfxgW0Qx6RUGDUydAlrgYwEeSZdzA3NLHpmv3FYP71YBBU0', 'Elyw5OOv9ZXV8oOp8pSOqWlSiL7qZQ8uWUYEYrYldYzlY85fbFz73RfidvVqqdm5CB', 'cHhMprBcdBTBtLkeqip6GR8m9WKWlVtWYGPFjwWJhHbC6t1Z9xM5U1nJryeMadzGAH', 'KvAHq2S6BCShrEXrFzfZYr39RUV2thBF9orP8JM8B4xEy168hFdJWp8KHqJLQNRA4B', '_7cOLdM31gx0ByM2jh9BsouCr96MhoheFYdBO3YtWFAu9CklRw1Bi1HU0Ag9FqS0Ouo', 'NonlJdIaLlEpZYagY6BcjSgkNRRf5N6BdlWpYl4KvWd6OJ6WB5f6q3iQ2LMCixDY1k', '_4EWbizpjWvcu6D7T7pouFB2xDKxTaC0ulntOjelFfhVfHqmVA5OBkCMTge4a30ocZP', 'HeWF3BQD4bfTmYfhMI5tu3rYw1aAIADLhyNE8e7ShXJUOZ0uZ8Snlj7wgkANB1fZUP', 'CSGCTaWDTUfPDJoL32Z5Z5nOzWmNuq7HHy0CMmTQKYLn5pfRqsk'
                      Source: C:\Users\user\Desktop\Java32.exeFile created: C:\ProgramData\Java Update(32bit).exeJump to dropped file
                      Source: C:\Users\user\Desktop\Java32.exeFile created: C:\ProgramData\Java Update(32bit).exeJump to dropped file
                      Source: C:\Users\user\Desktop\Java32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnkJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnkJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: Java32.exe, 00000000.00000002.3280755045.0000000002ED1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: Java32.exe, Java Update(32bit).exe.0.drBinary or memory string: SBIEDLL.DLL9MOHYXCJJER2HL3T10Z4GCDXOJVHY9DW482VDXD1VZB3BHXFBLEZXRC7MR9I03K09H1Y2RI1XGBEDDN0QDYQXOH9MABN4SLL88TXVMW5AUA3JO7N4IPD9ZDQJ1UUXHPKEQYRD2Z4LOONVQINV92JEXN0GWUAGBPCIZ4FAFTNAFO4009ZWGPEPOGVJJTKIOELRIL88BVWGM39RJTOSMYWEZDX0ZWUC0EJCKPJ5K4M9FPDIA7TPJXLTPX5I7AVLR20TDTEW9A9OYTYV0FYXVKPN4WFZRXSRO5JNO{G7NOMTBBNQ9G933HPQPCOFYN1KS3LVFJZFGRU3PPOCLLACAAWACGREPVHVCQS{K0W0IAM6K9F8LBA6VENNQHSJQSDEAAT2BLI58BNZ011YKRR1DXR0FK9JVU0WN{PJRXB593CPNJAQCKF6DI5GNMVQX2S03CH1RU8QLFEL9ZITDGVEGELXTFR8KEA{2ORVIJIA8VJEHGXGJW606L0ETG8DYSXVPSLKQVG8IWVKN7EMGJHPF4NPKIJ9DINFO
                      Source: C:\Users\user\Desktop\Java32.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeMemory allocated: 1AED0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Java32.exeWindow / User API: threadDelayed 663Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeWindow / User API: threadDelayed 9181Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6501Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3230Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7469Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2183Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6522Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3060Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7494
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2086
                      Source: C:\Users\user\Desktop\Java32.exe TID: 3552Thread sleep time: -36893488147419080s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1900Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep count: 7469 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1436Thread sleep count: 2183 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6604Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep count: 6522 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2748Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6368Thread sleep count: 3060 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7060Thread sleep count: 7494 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3192Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep count: 2086 > 30
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: Java Update(32bit).exe.0.drBinary or memory string: vmware
                      Source: Java32.exe, 00000000.00000002.3307497139.000000001BE64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Java32.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\Java32.exeCode function: 0_2_00007FF848F1287A CheckRemoteDebuggerPresent,0_2_00007FF848F1287A
                      Source: C:\Users\user\Desktop\Java32.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Java32.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe'
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe'
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java32.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeQueries volume information: C:\Users\user\Desktop\Java32.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Java32.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\Desktop\Java32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Java32.exe, 00000000.00000002.3311884438.000000001CA30000.00000004.00000020.00020000.00000000.sdmp, Java32.exe, 00000000.00000002.3307497139.000000001BEBF000.00000004.00000020.00020000.00000000.sdmp, Java32.exe, 00000000.00000002.3307497139.000000001BE64000.00000004.00000020.00020000.00000000.sdmp, Java32.exe, 00000000.00000002.3276229383.000000000108C000.00000004.00000020.00020000.00000000.sdmp, Java32.exe, 00000000.00000002.3307497139.000000001BF07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Java32.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Java32.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Java32.exe.b60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Java32.exe.12ee1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3280755045.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Java32.exe PID: 6520, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Java32.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Java32.exe.b60000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Java32.exe.12ee1a78.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Java32.exe.12ee1a78.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3280755045.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Java32.exe PID: 6520, type: MEMORYSTR
                      Source: Yara matchFile source: C:\ProgramData\Java Update(32bit).exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		2
                      Registry Run Keys / Startup Folder                      		11
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		2
                      Registry Run Keys / Startup Folder                      		11
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      DLL Side-Loading                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583255 Sample: Java32.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 32 ip-api.com 2->32 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Antivirus detection for dropped file 2->42 44 15 other signatures 2->44 8 Java32.exe 14 6 2->8         started        signatures3 process4 dnsIp5 34 45.141.26.234, 49975, 49980, 49981 SPECTRAIPSpectraIPBVNL Netherlands 8->34 36 ip-api.com 208.95.112.1, 49704, 80 TUT-ASUS United States 8->36 30 C:\ProgramData\Java Update(32bit).exe, PE32 8->30 dropped 46 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->46 48 Protects its processes via BreakOnTermination flag 8->48 50 Bypasses PowerShell execution policy 8->50 52 3 other signatures 8->52 13 powershell.exe 23 8->13         started        16 powershell.exe 23 8->16         started        18 powershell.exe 23 8->18         started        20 powershell.exe 8->20         started        file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 13->54 22 conhost.exe 13->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Java32.exe77%VirustotalBrowse
                      Java32.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      Java32.exe100%AviraTR/Spy.Gen
                      Java32.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\Java Update(32bit).exe100%AviraTR/Spy.Gen
                      C:\ProgramData\Java Update(32bit).exe100%Joe Sandbox ML
                      C:\ProgramData\Java Update(32bit).exe76%ReversingLabsWin32.Exploit.Xworm

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      45.141.26.2340%Avira URL Cloudsafe
                      https://ion=v4.535A0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        45.141.26.234true
                        • Avira URL Cloud: safe
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2103080427.000001FDF5871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196994742.000002B168321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350753391.0000014C10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://go.microsoft.copowershell.exe, 00000002.00000002.2107774025.000001FDFDD78000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2080562357.000001FDE5A29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1584D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2080562357.000001FDE5A29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1584D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2103080427.000001FDF5871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196994742.000002B168321000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2350753391.0000014C10071000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.microsoft.copowershell.exe, 00000005.00000002.2212728245.000002B170830000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2584026441.000001ECF8290000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.micpowershell.exe, 00000005.00000002.2210252051.000002B170703000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2587286696.000001ECF845E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2556361661.000001ECEFE2F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.micft.cMicRosofpowershell.exe, 00000005.00000002.2210252051.000002B170703000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2587286696.000001ECF845E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.2080562357.000001FDE5801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1582B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFDC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameJava32.exe, 00000000.00000002.3280755045.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2080562357.000001FDE5801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2142001821.000002B1582B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2260866847.0000014C00001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2420491413.000001ECDFDC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.vpowershell.exe, 00000008.00000002.2376698872.0000014C6EDE0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2420491413.000001ECDFFEA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ion=v4.535Apowershell.exe, 00000002.00000002.2109287911.000001FDFE1AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            208.95.112.1
                                                            		ip-api.comUnited States
                                                            		53334TUT-ASUSfalse
                                                            45.141.26.234
                                                            		unknownNetherlands
                                                            		62068SPECTRAIPSpectraIPBVNLtrue

                                                            General Information

                                                            Joe Sandbox version:41.0.0 Charoite
                                                            Analysis ID:1583255
                                                            Start date and time:2025-01-02 09:44:07 +01:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 5m 54s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:13
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:Java32.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.evad.winEXE@13/20@1/2
                                                            EGA Information:
                                                            • Successful, ratio: 20%
                                                            HCA Information:
                                                            • Successful, ratio: 98%
                                                            • Number of executed functions: 51
                                                            • Number of non-executed functions: 7
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                            • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.45
                                                            • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Execution Graph export aborted for target powershell.exe, PID 1656 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 5584 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 6500 because it is empty
                                                            • Execution Graph export aborted for target powershell.exe, PID 6780 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            03:45:02API Interceptor52x Sleep call for process: powershell.exe modified
                                                            03:46:05API Interceptor127167x Sleep call for process: Java32.exe modified
                                                            09:45:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            208.95.112.1mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                            • ip-api.com/json/?fields=225545
                                                            intro.avi.exeGet hashmaliciousQuasarBrowse
                                                            • ip-api.com/json/
                                                            AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                            • ip-api.com/json/?fields=225545
                                                            L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                            • ip-api.com/line/?fields=hosting
                                                            rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                            • ip-api.com/json
                                                            vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                            • ip-api.com/xml
                                                            Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                            • ip-api.com/json/?fields=225545
                                                            45.141.26.234da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                            • 45.141.26.234/x.exe

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ip-api.commcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                            • 208.95.112.1
                                                            intro.avi.exeGet hashmaliciousQuasarBrowse
                                                            • 208.95.112.1
                                                            AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                            • 208.95.112.1
                                                            L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 208.95.112.1
                                                            ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                            • 208.95.112.1
                                                            vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                            • 208.95.112.1
                                                            Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                            • 208.95.112.1

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            SPECTRAIPSpectraIPBVNLnklmips.elfGet hashmaliciousUnknownBrowse
                                                            • 89.190.159.77
                                                            1.elfGet hashmaliciousUnknownBrowse
                                                            • 45.141.239.79
                                                            TRC.ppc.elfGet hashmaliciousMiraiBrowse
                                                            • 45.144.191.245
                                                            da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                            • 45.141.26.234
                                                            03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 45.141.26.234
                                                            saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 45.141.26.134
                                                            windxcmd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 45.141.26.134
                                                            mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                            • 45.138.53.54
                                                            18fvs4AVae.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 45.141.26.170
                                                            Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                            • 45.141.27.248
                                                            TUT-ASUSmcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                            • 208.95.112.1
                                                            intro.avi.exeGet hashmaliciousQuasarBrowse
                                                            • 208.95.112.1
                                                            AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                            • 208.95.112.1
                                                            L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                            • 208.95.112.1
                                                            ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                                                            • 208.95.112.1
                                                            vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                                            • 208.95.112.1
                                                            Fizzy Loader.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                            • 208.95.112.1

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\ProgramData\Java Update(32bit).exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Java32.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):108032
                                                            Entropy (8bit):6.362235917726401
                                                            Encrypted:false
                                                            SSDEEP:1536:P6wH/d05ZE5rKn/JvAobz73d16YAlOpYMPG17qjh3rmKPNI:P6agVnx4obzQlOpZGwjZqMNI
                                                            MD5:9664AD464838E6F6E2196A594EF5682F
                                                            SHA1:F975CDC29E519F08DF38FF375B587B4DB9EA676E
                                                            SHA-256:9119D9E8D1A7078C637D5AF9D09D5FCE63C9FB300B47C08E580387A867F97A46
                                                            SHA-512:33838F172A0FAD1129CACEF9FEA67839FFDD2C9FEC730FB36C941B904118044964AB0AAFA3F649F59CE4239911B1264EB10D605CEAC2DDE4B7FA7A0380E14A89
                                                            Malicious:true
                                                            Yara Hits:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security
                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\Java Update(32bit).exe, Author: Joe Security
                                                            • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\ProgramData\Java Update(32bit).exe, Author: Sekoia.io
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\Java Update(32bit).exe, Author: ditekSHen
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                            Reputation:low
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....oig.................$...........C... ...`....@.. ....................................@..................................C..S....`..>|........................................................................... ............... ..H............text....#... ...$.................. ..`.rsrc...>|...`...~...&..............@..@.reloc..............................@..B.................C......H.......8b..P.......&.....................................................(....*.r...p*. S...*..(....*.r...p*. ....*.s.........s.........s.........s.........*.rS..p*. ..[.*.r...p*. .r}.*.r...p*. *p{.*.r...p*. ...*.r;..p*. ....*..((...*.rk..p*. ..*.*.r...p*. [.x.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(U...*"(....+.*&(....&+.*.+5sf... .... .'..og...(,...~....-.(_...(Q...~....oh...&.-.*.r...p*. ...*.r...p*. ..e.*.r9..p*. .TY.*.rs..p*. ....*.r...p*.r...p*.r!..p*. .i.*.r[.

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:modified
                                                            Size (bytes):64
                                                            Entropy (8bit):0.34726597513537405
                                                            Encrypted:false
                                                            SSDEEP:3:Nlll:Nll
                                                            MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                            SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                            SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                            SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                            Malicious:false
                                                            Preview:@...e...........................................................

                                                            C:\Users\user\AppData\Local\Temp\Log.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Java32.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:modified
                                                            Size (bytes):29
                                                            Entropy (8bit):3.598349098128234
                                                            Encrypted:false
                                                            SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                            MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                            SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                            SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                            SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                            Malicious:false
                                                            Preview:....### explorer ###..[WIN]r

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tuzwkue.jie.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2amyoopb.xh4.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2jnpan0s.0rt.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3fw30soo.e0c.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3usgs4h4.22j.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5dfr54pk.533.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aesyboj1.nif.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b3tvt3fl.035.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hspeqy2z.vqg.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ivjvlwh3.rie.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kekqg1vp.2uz.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpwxu1wj.135.ps1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o20acevl.s2d.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rsyjxqh2.ip5.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wkqemvz5.u11.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wy2l3w0r.3aa.psm1

                                                            Download File
                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java Update(32bit).lnk

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Java32.exe
                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 2 07:45:57 2025, mtime=Thu Jan 2 07:45:57 2025, atime=Thu Jan 2 07:45:57 2025, length=108032, window=hide
                                                            Category:dropped
                                                            Size (bytes):720
                                                            Entropy (8bit):4.666744856183531
                                                            Encrypted:false
                                                            SSDEEP:12:8fTrcOdVceqAzKJxjA6gTliqdrgb+HWYmV:8fS2mHA6A3u+HWYm
                                                            MD5:866AACCC8D9AA995546F2E61C0C09960
                                                            SHA1:BC4A23920EC6E85AD7BE91461EAA364C9A6AC265
                                                            SHA-256:FA9F2FB842320D0381F7F3E987A980704C4B4E8A4F18CF7A911102EA3A035032
                                                            SHA-512:3754371F65F35AD703BA8E1A1AD4E607AC0464E3F0ED6D7EB92F0B7F1984EFB6EC9F259435E321B0C3F58DCE12C6A2AA7273FF1EC3F4710A3D041C0CC589EFDE
                                                            Malicious:false
                                                            Preview:L..................F.... ......\......\......\...............................P.O. .:i.....+00.../C:\...................`.1....."Z.E. PROGRA~3..H......O.I"Z.E....g.........................P.r.o.g.r.a.m.D.a.t.a.....z.2....."Z.E JAVAUP~1.EXE..^......"Z.E"Z.E....3(....................j.`.J.a.v.a. .U.p.d.a.t.e.(.3.2.b.i.t.)...e.x.e.......T...............-.......S...........yV9......C:\ProgramData\Java Update(32bit).exe..=.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.J.a.v.a. .U.p.d.a.t.e.(.3.2.b.i.t.)...e.x.e.`.......X.......849224...........hT..CrF.f4... .'t......,...W..hT..CrF.f4... .'t......,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):6.362235917726401
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:Java32.exe
                                                            File size:108'032 bytes
                                                            MD5:9664ad464838e6f6e2196a594ef5682f
                                                            SHA1:f975cdc29e519f08df38ff375b587b4db9ea676e
                                                            SHA256:9119d9e8d1a7078c637d5af9d09d5fce63c9fb300b47c08e580387a867f97a46
                                                            SHA512:33838f172a0fad1129cacef9fea67839ffdd2c9fec730fb36c941b904118044964ab0aafa3f649f59ce4239911b1264eb10d605ceac2dde4b7fa7a0380e14a89
                                                            SSDEEP:1536:P6wH/d05ZE5rKn/JvAobz73d16YAlOpYMPG17qjh3rmKPNI:P6agVnx4obzQlOpZGwjZqMNI
                                                            TLSH:7EB38DB4F3D59401D2BF9FF24CBA6D2185B67E9F9C52860E20DA325A16333C58441EAF
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....oig.................$...........C... ...`....@.. ....................................@................................

                                                            File Icon

                                                            Icon Hash:d08c8e8ea2868a55

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4143de
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x67696FC5 [Mon Dec 23 14:12:21 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x143880x53.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x7c3e.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1e0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000x123e40x12400925f9e70d765d6e89936906dc31cf7d0False0.6053215967465754data6.072213683132225IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0x160000x7c3e0x7e0056849df267bfd2f5d643b1c0753b8736False0.3404637896825397data5.84933569010734IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0x1e0000xc0x20039475863cd38b67b4982701dc4d3a830False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0x163400x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.21890243902439024
                                                            RT_ICON0x169a80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.3400537634408602
                                                            RT_ICON0x16c900x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 00.35450819672131145
                                                            RT_ICON0x16e780x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.46283783783783783
                                                            RT_ICON0x16fa00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.5026652452025586
                                                            RT_ICON0x17e480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.5798736462093863
                                                            RT_ICON0x186f00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 00.40264976958525345
                                                            RT_ICON0x18db80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.3273121387283237
                                                            RT_ICON0x193200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.27344398340248965
                                                            RT_ICON0x1b8c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.37875234521575984
                                                            RT_ICON0x1c9700x988Device independent bitmap graphic, 24 x 48 x 32, image size 00.37868852459016394
                                                            RT_ICON0x1d2f80x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.4796099290780142
                                                            RT_GROUP_ICON0x1d7600xaedata0.5689655172413793
                                                            RT_VERSION0x1d8100x244data0.4724137931034483
                                                            RT_MANIFEST0x1da540x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 2, 2025 09:45:01.148313999 CET4970480192.168.2.5208.95.112.1
                                                            Jan 2, 2025 09:45:01.153151989 CET8049704208.95.112.1192.168.2.5
                                                            Jan 2, 2025 09:45:01.153254986 CET4970480192.168.2.5208.95.112.1
                                                            Jan 2, 2025 09:45:01.154000998 CET4970480192.168.2.5208.95.112.1
                                                            Jan 2, 2025 09:45:01.158735991 CET8049704208.95.112.1192.168.2.5
                                                            Jan 2, 2025 09:45:01.664609909 CET8049704208.95.112.1192.168.2.5
                                                            Jan 2, 2025 09:45:01.707087994 CET4970480192.168.2.5208.95.112.1
                                                            Jan 2, 2025 09:46:01.965246916 CET499757000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:01.970109940 CET70004997545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:01.970232010 CET499757000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:02.076704025 CET499757000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:02.081480026 CET70004997545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:04.079766989 CET70004997545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:04.081856012 CET499757000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:06.691692114 CET499757000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:06.692771912 CET499807000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:06.696610928 CET70004997545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:06.697680950 CET70004998045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:06.697751999 CET499807000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:06.711886883 CET499807000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:06.716726065 CET70004998045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:08.831197977 CET70004998045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:08.831355095 CET499807000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:10.973021030 CET499807000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:10.974447966 CET499817000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:10.977847099 CET70004998045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:10.979231119 CET70004998145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:10.979295015 CET499817000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:10.996978045 CET499817000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:11.002177000 CET70004998145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:13.114877939 CET70004998145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:13.114964008 CET499817000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:16.425930977 CET499817000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:16.427078962 CET499827000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:16.430706024 CET70004998145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:16.431860924 CET70004998245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:16.431943893 CET499827000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:16.446357012 CET499827000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:16.451112032 CET70004998245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:18.569693089 CET70004998245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:18.571883917 CET499827000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:20.270123005 CET499827000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:20.271944046 CET499847000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:20.274949074 CET70004998245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:20.276812077 CET70004998445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:20.276889086 CET499847000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:20.303989887 CET499847000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:20.308752060 CET70004998445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:21.167650938 CET8049704208.95.112.1192.168.2.5
                                                            Jan 2, 2025 09:46:21.167711020 CET4970480192.168.2.5208.95.112.1
                                                            Jan 2, 2025 09:46:22.457946062 CET70004998445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:22.458022118 CET499847000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:22.655951977 CET70004998445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:22.656105042 CET499847000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:24.691581011 CET499847000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:24.692634106 CET499857000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:24.697063923 CET70004998445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:24.698291063 CET70004998545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:24.698396921 CET499857000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:24.712811947 CET499857000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:24.717607975 CET70004998545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:26.853607893 CET70004998545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:26.853717089 CET499857000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:29.847908020 CET499857000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:29.849164963 CET499867000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:29.852727890 CET70004998545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:29.853984118 CET70004998645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:29.854064941 CET499867000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:29.868808031 CET499867000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:29.873642921 CET70004998645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:32.048423052 CET70004998645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:32.048577070 CET499867000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:34.894845963 CET499867000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:34.896960974 CET499877000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:34.899710894 CET70004998645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:34.901823997 CET70004998745.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:34.901896954 CET499877000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:34.916640997 CET499877000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:34.921516895 CET70004998745.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:37.035269976 CET70004998745.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:37.037925959 CET499877000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:39.363662958 CET499877000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:39.364558935 CET499887000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:39.374320030 CET70004998745.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:39.374351025 CET70004998845.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:39.374619007 CET499887000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:39.389877081 CET499887000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:39.394628048 CET70004998845.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:41.506383896 CET70004998845.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:41.506489992 CET499887000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:41.677433014 CET4970480192.168.2.5208.95.112.1
                                                            Jan 2, 2025 09:46:41.682297945 CET8049704208.95.112.1192.168.2.5
                                                            Jan 2, 2025 09:46:42.254534960 CET499887000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:42.257029057 CET499897000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:42.259423971 CET70004998845.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:42.261868954 CET70004998945.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:42.261955023 CET499897000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:42.280035973 CET499897000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:42.284852982 CET70004998945.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:44.393759966 CET70004998945.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:44.393881083 CET499897000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:44.801052094 CET499897000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:44.802047014 CET499907000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:44.805861950 CET70004998945.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:44.806919098 CET70004999045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:44.807003975 CET499907000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:44.821484089 CET499907000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:44.826303005 CET70004999045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:46.924525023 CET70004999045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:46.924654007 CET499907000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:47.723138094 CET499907000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:47.724941015 CET499917000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:47.727916002 CET70004999045.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:47.729778051 CET70004999145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:47.729854107 CET499917000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:47.754298925 CET499917000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:47.759118080 CET70004999145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:49.865684032 CET70004999145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:49.865859985 CET499917000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:50.473002911 CET499917000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:50.478857994 CET70004999145.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:50.479022026 CET499927000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:50.485409021 CET70004999245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:50.486967087 CET499927000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:50.508517981 CET499927000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:50.513303041 CET70004999245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:52.612386942 CET70004999245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:52.612576008 CET499927000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:53.660392046 CET499927000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:53.661580086 CET499937000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:53.665196896 CET70004999245.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:53.666402102 CET70004999345.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:53.666471958 CET499937000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:53.683281898 CET499937000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:53.688100100 CET70004999345.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:55.809227943 CET70004999345.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:55.809457064 CET499937000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:56.233918905 CET499937000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:56.238725901 CET70004999345.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:56.241588116 CET499947000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:56.246397018 CET70004999445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:56.246469021 CET499947000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:56.345027924 CET499947000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:56.349853992 CET70004999445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:58.406925917 CET70004999445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:58.406995058 CET499947000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:59.226974964 CET499947000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:59.231858969 CET70004999445.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:59.232415915 CET499957000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:59.237211943 CET70004999545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:46:59.237319946 CET499957000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:59.255595922 CET499957000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:46:59.260390043 CET70004999545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:01.363931894 CET70004999545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:01.365782022 CET499957000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:01.703107119 CET499957000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:01.708199024 CET70004999545.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:01.729612112 CET499967000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:01.735335112 CET70004999645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:01.735424995 CET499967000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:01.893332005 CET499967000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:01.899452925 CET70004999645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:03.865540981 CET70004999645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:03.865643024 CET499967000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:03.926198006 CET499967000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:03.928437948 CET499977000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:03.931022882 CET70004999645.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:03.933300018 CET70004999745.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:03.933374882 CET499977000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:03.952306986 CET499977000192.168.2.545.141.26.234
                                                            Jan 2, 2025 09:47:03.957101107 CET70004999745.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:06.049907923 CET70004999745.141.26.234192.168.2.5
                                                            Jan 2, 2025 09:47:06.049968004 CET499977000192.168.2.545.141.26.234

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Jan 2, 2025 09:45:01.134494066 CET6548253192.168.2.51.1.1.1
                                                            Jan 2, 2025 09:45:01.141458988 CET53654821.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Jan 2, 2025 09:45:01.134494066 CET192.168.2.51.1.1.10x6911Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Jan 2, 2025 09:45:01.141458988 CET1.1.1.1192.168.2.50x6911No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • ip-api.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.549704208.95.112.1806520C:\Users\user\Desktop\Java32.exe
                                                            TimestampBytes transferredDirectionData
                                                            Jan 2, 2025 09:45:01.154000998 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                            Host: ip-api.com
                                                            Connection: Keep-Alive
                                                            Jan 2, 2025 09:45:01.664609909 CET175INHTTP/1.1 200 OK
                                                            Date: Thu, 02 Jan 2025 08:45:01 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Content-Length: 6
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 60
                                                            X-Rl: 44
                                                            Data Raw: 66 61 6c 73 65 0a
                                                            Data Ascii: false


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:03:44:56
                                                            Start date:02/01/2025
                                                            Path:C:\Users\user\Desktop\Java32.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\Desktop\Java32.exe"
                                                            Imagebase:0xb60000
                                                            File size:108'032 bytes
                                                            MD5 hash:9664AD464838E6F6E2196A594EF5682F
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2003941272.0000000000B62000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3280755045.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3304438638.0000000012EE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:2
                                                            Start time:03:45:00
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Java32.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:03:45:00
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:03:45:08
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java32.exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:03:45:08
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:8
                                                            Start time:03:45:19
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Java Update(32bit).exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:03:45:19
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:03:45:35
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Java Update(32bit).exe'
                                                            Imagebase:0x7ff7be880000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:03:45:35
                                                            Start date:02/01/2025
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:27.5%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:11.5%
                                                              Total number of Nodes:26
                                                              Total number of Limit Nodes:2
                                                              execution_graph 5351 7ff848f1287a 5352 7ff848f172e0 CheckRemoteDebuggerPresent 5351->5352 5354 7ff848f1737f 5352->5354 5338 7ff848f18f4d 5339 7ff848f18f5f 5338->5339 5340 7ff848f190b2 RtlSetProcessIsCritical 5339->5340 5341 7ff848f19112 5340->5341 5330 7ff848f19481 5331 7ff848f19487 SetWindowsHookExW 5330->5331 5333 7ff848f19651 5331->5333 5342 7ff848f18b71 5343 7ff848f18b9f 5342->5343 5346 7ff848f18600 5343->5346 5345 7ff848f18bb8 5347 7ff848f18609 5346->5347 5348 7ff848f190b2 RtlSetProcessIsCritical 5347->5348 5350 7ff848f18666 5347->5350 5349 7ff848f19112 5348->5349 5349->5345 5350->5345 5334 7ff848f172c1 5335 7ff848f172e0 CheckRemoteDebuggerPresent 5334->5335 5337 7ff848f1737f 5335->5337 5355 7ff848f186a5 5356 7ff848f18698 5355->5356 5357 7ff848f190b2 RtlSetProcessIsCritical 5356->5357 5359 7ff848f18677 5356->5359 5358 7ff848f19112 5357->5358

                                                              Executed Functions

                                                              Function 00007FF848F1108D Relevance: 2.1, Strings: 1, Instructions: 899COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 136 7ff848f1108d-7ff848f110d9 142 7ff848f110db-7ff848f1110d 136->142 143 7ff848f1110e-7ff848f111ce 136->143 142->143 155 7ff848f111d0 143->155 156 7ff848f111d5-7ff848f111d6 143->156 155->156 157 7ff848f111d8 156->157 158 7ff848f111dc-7ff848f111de 156->158 157->158 159 7ff848f111e0 158->159 160 7ff848f111e3-7ff848f111e6 158->160 159->160 161 7ff848f111e8 160->161 162 7ff848f111ea-7ff848f111ee 160->162 161->162 163 7ff848f111f0 162->163 164 7ff848f111f1-7ff848f111fa 162->164 163->164 166 7ff848f111fc-7ff848f11230 164->166 167 7ff848f11244-7ff848f11365 call 7ff848f10638 * 8 call 7ff848f10a48 164->167 172 7ff848f1186a-7ff848f11962 166->172 173 7ff848f11236-7ff848f1123d 166->173 218 7ff848f1136f-7ff848f113e6 call 7ff848f104b8 call 7ff848f104b0 call 7ff848f10358 call 7ff848f10368 167->218 219 7ff848f11367-7ff848f1136e 167->219 173->167 234 7ff848f113e8-7ff848f113f2 218->234 235 7ff848f113f9-7ff848f11409 218->235 219->218 234->235 238 7ff848f1140b-7ff848f1142a call 7ff848f10358 235->238 239 7ff848f11431-7ff848f11451 235->239 238->239 245 7ff848f11462-7ff848f11544 239->245 246 7ff848f11453-7ff848f1145d call 7ff848f10378 239->246 260 7ff848f11592-7ff848f115c5 245->260 261 7ff848f11546-7ff848f11579 245->261 246->245 271 7ff848f115ea-7ff848f1161a 260->271 272 7ff848f115c7-7ff848f115e8 260->272 261->260 268 7ff848f1157b-7ff848f11588 261->268 268->260 273 7ff848f1158a-7ff848f11590 268->273 275 7ff848f11622-7ff848f11659 271->275 272->275 273->260 281 7ff848f1165b-7ff848f1167c 275->281 282 7ff848f1167e-7ff848f116ae 275->282 284 7ff848f116b6-7ff848f11798 call 7ff848f10388 call 7ff848f109e8 call 7ff848f11038 281->284 282->284 302 7ff848f1179a call 7ff848f107d0 284->302 303 7ff848f1179f-7ff848f1184a 284->303 302->303 316 7ff848f11851-7ff848f11869 303->316
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: CAO_^
                                                              • API String ID: 0-3111533842
                                                              • Opcode ID: 671a378e2f4a61000b6207dd1eca0d545a6e5917fb2a98ad975c11eb56f9a739
                                                              • Instruction ID: 2a4276d43040aac6b6606067513387d28da5d09cda811714d8f5dd44c2e866ec
                                                              • Opcode Fuzzy Hash: 671a378e2f4a61000b6207dd1eca0d545a6e5917fb2a98ad975c11eb56f9a739
                                                              • Instruction Fuzzy Hash: E2423531A1DA595FE754FB38A4596FABBA1FF883A0F44017AD44EC72C3DF2868418385
                                                              Function 00007FF848F11BD1 Relevance: 1.6, Strings: 1, Instructions: 389COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: !O_H
                                                              • API String ID: 0-120083843
                                                              • Opcode ID: 3ed7c34508ba713ff6a06a5dec56f52ab545488cec5ca79f9dad89672e7d50eb
                                                              • Instruction ID: 77a952f16680965dabd86ed197f396537330161d329e094debb482c3692fa54d
                                                              • Opcode Fuzzy Hash: 3ed7c34508ba713ff6a06a5dec56f52ab545488cec5ca79f9dad89672e7d50eb
                                                              • Instruction Fuzzy Hash: 03C18F70F2D94A4FEB88FB2894552B977D2EF99384F04457AD44EC32D2DF28AC818749
                                                              Function 00007FF848F1287A Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 449 7ff848f1287a-7ff848f1737d CheckRemoteDebuggerPresent 453 7ff848f1737f 449->453 454 7ff848f17385-7ff848f173c8 449->454 453->454
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: 28a8092464cfb335c71cee080e98165d7e564431a4dbce720ee2862616a285ff
                                                              • Instruction ID: 89d8ec0945d8162772237df3a0109955d02f394d59d7b1c0539fea0d8e0182b8
                                                              • Opcode Fuzzy Hash: 28a8092464cfb335c71cee080e98165d7e564431a4dbce720ee2862616a285ff
                                                              • Instruction Fuzzy Hash: DA31B43190861C8FDB58DF9CC84A7FABBE0FF55311F14426AD48AD7241CB74A8468B91
                                                              Function 00007FF848F15D16 Relevance: .5, Instructions: 472COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8b9674ef24653e4d5ab178dd0ed8b69ef40a018624134e00f57f3296e1cc0575
                                                              • Instruction ID: 8ad9416fcdfa547acd1eba094dc6d8fc3d09ad6091c6dd0318c05a5805149279
                                                              • Opcode Fuzzy Hash: 8b9674ef24653e4d5ab178dd0ed8b69ef40a018624134e00f57f3296e1cc0575
                                                              • Instruction Fuzzy Hash: F1F1843090CA8D8FEBA8EF28C8557E977E1FF58350F04426ED84DC7295DB78A9458B81
                                                              Function 00007FF848F16AC2 Relevance: .5, Instructions: 458COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3cc398811fd7bb22c965eb47351180986ca3842795bd9e7bad67ff3b20bdaa4
                                                              • Instruction ID: 7e1b4f11b7687d43e69f046b1c49763c09861130eca6fd8267fcf55cf83351c5
                                                              • Opcode Fuzzy Hash: a3cc398811fd7bb22c965eb47351180986ca3842795bd9e7bad67ff3b20bdaa4
                                                              • Instruction Fuzzy Hash: ADE1B13090CA8E8FEBA8EF28C8557E977E1EB54351F04826ED84DC7291DF789C458B85
                                                              Function 00007FF848F18600 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 0{H$N_^$N_^
                                                              • API String ID: 0-943146453
                                                              • Opcode ID: df440f5d25910ad98d7a84de289629a023800c1ed9618954e6fa59c078378d1d
                                                              • Instruction ID: 085a150ea290d46352de0f2be1e731b87805323cfa717c12fba4dc2943b0141e
                                                              • Opcode Fuzzy Hash: df440f5d25910ad98d7a84de289629a023800c1ed9618954e6fa59c078378d1d
                                                              • Instruction Fuzzy Hash: CFA12332C1EAC24FE355AB286C192B97FE0FF52790F5805BFC099871D3EA185C499396
                                                              Function 00007FF848F186A5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: N_^
                                                              • API String ID: 0-884294832
                                                              • Opcode ID: 657b925b3c242960d0ba904cefef2312b5b6caee9b6bb8e72c9edad092cc5ce7
                                                              • Instruction ID: 5476950261e6ead2b1188bd90d6759dfab495e92e51cdb671e1c5508f06e5309
                                                              • Opcode Fuzzy Hash: 657b925b3c242960d0ba904cefef2312b5b6caee9b6bb8e72c9edad092cc5ce7
                                                              • Instruction Fuzzy Hash: 78711332C1DAC58FE759EB2898192B97BE0FF52790F5804BEC089875C3EB286C458395
                                                              Function 00007FF848F18F4D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 235COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 116 7ff848f18f4d-7ff848f19110 call 7ff848f186f8 RtlSetProcessIsCritical 133 7ff848f19118-7ff848f1914d 116->133 134 7ff848f19112 116->134 134->133
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID: CriticalProcess
                                                              • String ID: hbH
                                                              • API String ID: 2695349919-3756390829
                                                              • Opcode ID: 803bcac577e181d9229be0e375df686a82d494bd56cf6348233e16f1f2881d82
                                                              • Instruction ID: 7d63fc67a4f86b52343d0920c5f48f317e09d79c32b6c74bf74024739d8e745c
                                                              • Opcode Fuzzy Hash: 803bcac577e181d9229be0e375df686a82d494bd56cf6348233e16f1f2881d82
                                                              • Instruction Fuzzy Hash: 8161033190CA9D8FD759EF68D8496E97BF0FF55311F04016ED08AC3592DB38A886CB91
                                                              Function 00007FF848F19481 Relevance: 1.8, APIs: 1, Instructions: 265COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 318 7ff848f19481-7ff848f19485 319 7ff848f1948a-7ff848f19499 318->319 320 7ff848f19487-7ff848f19488 318->320 321 7ff848f1949b 319->321 322 7ff848f1949c-7ff848f19508 319->322 320->319 321->322 326 7ff848f1950a-7ff848f1950f 322->326 327 7ff848f19512-7ff848f19544 322->327 326->327 329 7ff848f1954c-7ff848f1957f 327->329 330 7ff848f19546 327->330 332 7ff848f1958a-7ff848f195fd 329->332 333 7ff848f19581-7ff848f19589 329->333 330->329 337 7ff848f19689-7ff848f1968d 332->337 338 7ff848f19603-7ff848f19610 332->338 333->332 339 7ff848f19612-7ff848f1964f SetWindowsHookExW 337->339 338->339 341 7ff848f19651 339->341 342 7ff848f19657-7ff848f19688 339->342 341->342
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID: HookWindows
                                                              • String ID:
                                                              • API String ID: 2559412058-0
                                                              • Opcode ID: ccbd4994383119e604b9d53f1104d794b18cd014137f58383a04f974144c84e0
                                                              • Instruction ID: 0a7c2d1f19d1bae533f4977bfde8eb190a00a2ca1f091ba314abea2acd9d15f2
                                                              • Opcode Fuzzy Hash: ccbd4994383119e604b9d53f1104d794b18cd014137f58383a04f974144c84e0
                                                              • Instruction Fuzzy Hash: 6471F531A0CA4C8FDB59EB68D8496F9BBE1EF95321F04427FD009D3592CB646846CBD1
                                                              Function 00007FF848F172C1 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 442 7ff848f172c1-7ff848f1737d CheckRemoteDebuggerPresent 446 7ff848f1737f 442->446 447 7ff848f17385-7ff848f173c8 442->447 446->447
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: ea315049f0af93d0f50248df52359b1b286cde0cc7d68b6b637f49921581e048
                                                              • Instruction ID: 84e9158347b7e75b34d5c57167bb7c40bb842f330190b3368917392180f19ea6
                                                              • Opcode Fuzzy Hash: ea315049f0af93d0f50248df52359b1b286cde0cc7d68b6b637f49921581e048
                                                              • Instruction Fuzzy Hash: DF31E0319087588FCB58DF58C84A7EA7BE0EF65321F0542ABD489D7292DB34A846CB91

                                                              Non-executed Functions

                                                              Function 00007FF848F144ED Relevance: .4, Instructions: 417COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.3313976061.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_7ff848f10000_Java32.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0efccf41cbd705c038c399d88c70331bf3e0d76ea16dbb8ea70d1768069293dd
                                                              • Instruction ID: 02304e5d218a88b734efd2de8b926e26e66ad937c8d7e5596a75292154817172
                                                              • Opcode Fuzzy Hash: 0efccf41cbd705c038c399d88c70331bf3e0d76ea16dbb8ea70d1768069293dd
                                                              • Instruction Fuzzy Hash: 67C1143190DB4C4FDB19EFA898466E9BBF1EF96320F04426FD049D3292CB746845CB95

                                                              Executed Functions

                                                              Function 00007FF848FE660A Relevance: .4, Instructions: 414COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2114037534.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49b95777530d80ba198110cf2f965b7b483610b47358eb2985c62f71d77b4676
                                                              • Instruction ID: ed6aecfd73a98f2d873b1c1a5127ab7d1516fffa6dd97de99cd1fd0e70ae228f
                                                              • Opcode Fuzzy Hash: 49b95777530d80ba198110cf2f965b7b483610b47358eb2985c62f71d77b4676
                                                              • Instruction Fuzzy Hash: 43C12231D1EA8E5FEB99EB2858595B9BBA1EF15390F1800BED04DCB0D3EB1CA805C355
                                                              Function 00007FF848F1B238 Relevance: .3, Instructions: 319COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2111725548.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 70cbd925535f73d5c3cf34eb9ac7721c00b41aaf6dd126286405c0db289fb782
                                                              • Instruction ID: 9ef7383bfd2c9bd68ceb513ed353cac5cad38d3f36f971a7ffdb45c8c075fd8d
                                                              • Opcode Fuzzy Hash: 70cbd925535f73d5c3cf34eb9ac7721c00b41aaf6dd126286405c0db289fb782
                                                              • Instruction Fuzzy Hash: E591273092CA888FE749EF28C4896B5BBE1FF95351F14417EC08AC3196DB25EC46CB51
                                                              Function 00007FF848F19EF2 Relevance: .3, Instructions: 273COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2111725548.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b80f540d74dcbee9448f6020d944e43a6066bafb17e60f1ecc69da6db6ac5a1a
                                                              • Instruction ID: f81660b96e5e9da978e28245b6e74230264472a51b35be6f7c43441efffb7733
                                                              • Opcode Fuzzy Hash: b80f540d74dcbee9448f6020d944e43a6066bafb17e60f1ecc69da6db6ac5a1a
                                                              • Instruction Fuzzy Hash: D3712A77D0DA915FE316AB3CAC620E53B90FF11BDAF0801B7D1888A0D3EE155C568786
                                                              Function 00007FF848FE662C Relevance: .3, Instructions: 263COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2114037534.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fc20a0a765c7de32f96e6f16b08a4d8866c1cb1d1dc9fc34edb97f42bdde5ef2
                                                              • Instruction ID: 414db9f6f02e51f109012b9ab2d31e0db93d7166f494ad51923d00e567b0306b
                                                              • Opcode Fuzzy Hash: fc20a0a765c7de32f96e6f16b08a4d8866c1cb1d1dc9fc34edb97f42bdde5ef2
                                                              • Instruction Fuzzy Hash: 5681E131D1EACA9FE79AAB2858645787BA1EF15790F5800FAC04DCB1D3EA1C9C05C356
                                                              Function 00007FF848FE4073 Relevance: .2, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2114037534.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5072fa8b5381a5119b9febb0fb80b8603f4df4f982891c0c16110a39754cadcc
                                                              • Instruction ID: afc547e363f74691d8b2d50f70db476610e990ee97e45ddf45fcebb9d6d57ca2
                                                              • Opcode Fuzzy Hash: 5072fa8b5381a5119b9febb0fb80b8603f4df4f982891c0c16110a39754cadcc
                                                              • Instruction Fuzzy Hash: F651D232E0DE4A4FEB9AEB1C941167577E2EFA4260F1801BEC14DC71D2DF1CE8058249
                                                              Function 00007FF848F19FD3 Relevance: .2, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2111725548.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0f65c73d74b77fccf72882b821400b081ee9e8eb6518155273c0940ef02256db
                                                              • Instruction ID: 5deceac6a776b8e95f222a40677c138d7478c264cda8c43b785b24a193df45aa
                                                              • Opcode Fuzzy Hash: 0f65c73d74b77fccf72882b821400b081ee9e8eb6518155273c0940ef02256db
                                                              • Instruction Fuzzy Hash: B441D47BD0DE925EE31AAB38AC554E13B90FF11FD2F0801BAD089860D3EE159C468685
                                                              Function 00007FF848F19768 Relevance: .1, Instructions: 125COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2111725548.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a0c5d561d467bd5fbcd3494a03c0c2a7c0f718b3a33bac2c6d3e55972e8b0c7
                                                              • Instruction ID: 3dd93ad03d162427f3125ed7fd752baa83a0dc4b18381d4adfa33d3254b74d51
                                                              • Opcode Fuzzy Hash: 5a0c5d561d467bd5fbcd3494a03c0c2a7c0f718b3a33bac2c6d3e55972e8b0c7
                                                              • Instruction Fuzzy Hash: 6831EA3191CB489FDB1CDF5CA8066B97BE0FB99710F00422FE44993652DB70A856CBC2
                                                              Function 00007FF848DFE380 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2110705423.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848dfd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 39e7e96448717bbef2823621723319c646eb9f75a5e80726113f8d156142d2cc
                                                              • Instruction ID: 921fa1f740e231ed5309cb0f7a1af6b6472981bbff0534fc3dab8624456f5fb0
                                                              • Opcode Fuzzy Hash: 39e7e96448717bbef2823621723319c646eb9f75a5e80726113f8d156142d2cc
                                                              • Instruction Fuzzy Hash: 5C41227180EBC44FE7569B28A845A563FF0EF52325F1506EFD088CB1A3D725A84AC792
                                                              Function 00007FF848FE40BF Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2114037534.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 478e0227e9bebadf4dc82796991746e3090b498258d47309ed0d97683e48a377
                                                              • Instruction ID: ee9efd15c954c716705dbf50dbaa4a8bb2dcb64cb461cf602c366874f3dd1d99
                                                              • Opcode Fuzzy Hash: 478e0227e9bebadf4dc82796991746e3090b498258d47309ed0d97683e48a377
                                                              • Instruction Fuzzy Hash: 56217A32E0DE4A4FEBAAEB18945117466D2FF642A0F4901BEC15DC71E2CF1CAC04824A
                                                              Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2111725548.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                              • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                              • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                              Function 00007FF848FE4400 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2114037534.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6bc3dfec7b44e5e4ed55b5a7bffc75f4d9d23cecc151d971211fa2d774cee2f2
                                                              • Instruction ID: 1748bdd0471d63ce1f14a84ad7e30f4222d13884554394d0400479534205c1b2
                                                              • Opcode Fuzzy Hash: 6bc3dfec7b44e5e4ed55b5a7bffc75f4d9d23cecc151d971211fa2d774cee2f2
                                                              • Instruction Fuzzy Hash: EEF0B832A0C9448FD758EB0CE4458A8B3E0FF04320F0500BAE049CB8A3DB2AAC648765

                                                              Non-executed Functions

                                                              Function 00007FF848F18995 Relevance: 5.2, Strings: 4, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2111725548.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: N_^$N_^$N_^$N_^
                                                              • API String ID: 0-3900292545
                                                              • Opcode ID: 1b93475d123717c2ca7abe112a640ad30a576dbe467d71f1ebe0aab7573336d6
                                                              • Instruction ID: ed288cde63a4d844a058d7afe462b7bb18cebad12d9e02ab9faa282171aed8ed
                                                              • Opcode Fuzzy Hash: 1b93475d123717c2ca7abe112a640ad30a576dbe467d71f1ebe0aab7573336d6
                                                              • Instruction Fuzzy Hash: DA41AF63D1E6D26FE34A97285D690E53FA0EF22798B4D01F6C1C88B0D3EE1C5C0A9356
                                                              Function 00007FF848F18BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2111725548.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: N_^4$N_^7$N_^F$N_^J
                                                              • API String ID: 0-3508309026
                                                              • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                              • Instruction ID: f6facd9be01d464781fe06f2e9dfce22635aafd9ed82b64586b0b92a0b284f4c
                                                              • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                              • Instruction Fuzzy Hash: 8E213B7761A0259ED3417BBDBC145DA3750EF942B8B4502B2D298CF143EA1C708686D5

                                                              Executed Functions

                                                              Function 00007FF848FF660A Relevance: 7.9, Strings: 6, Instructions: 431COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2224304227.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (B#I$(B#I$(B#I$(B#I$(B#I$X7+h
                                                              • API String ID: 0-1369167908
                                                              • Opcode ID: 595c79b1d2646fb3259798569cfb71f905eff7fda99bee16b56cdcfd341d2c0b
                                                              • Instruction ID: d78955b9755f9ded8cfef2c0aee2027c5e4e9154e5b2cb4239a8a4f0082dff6e
                                                              • Opcode Fuzzy Hash: 595c79b1d2646fb3259798569cfb71f905eff7fda99bee16b56cdcfd341d2c0b
                                                              • Instruction Fuzzy Hash: 71D12F31D0EA8A5FEB99AB2858145B5BBA1EF1A390F1801FFD54DCB0D3EE1CA805C355
                                                              Function 00007FF848F2644D Relevance: .7, Instructions: 738COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2223614534.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8737e1e89026bf4aea8adb17103541da559990c510b2e1a9862c87fc20ea42be
                                                              • Instruction ID: 8912fb32c0678f46b492a715ab0a42a63e2b2ca8d4e5eb794891b78a94ed5ef3
                                                              • Opcode Fuzzy Hash: 8737e1e89026bf4aea8adb17103541da559990c510b2e1a9862c87fc20ea42be
                                                              • Instruction Fuzzy Hash: 0EC15F30A1CA4D8FDF89EF58D495AA97BF1FF68340F14416AD409D7296DB39E881CB80
                                                              Function 00007FF848F29780 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2223614534.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2dae65b0a635d967213072b502cd37f200167da8589d8f1f76f61ad9e3fd7b06
                                                              • Instruction ID: 07048a1f3197adaa2aa7557e0a07b5da4eab2e423e2177f7fdbefcd9d2edecac
                                                              • Opcode Fuzzy Hash: 2dae65b0a635d967213072b502cd37f200167da8589d8f1f76f61ad9e3fd7b06
                                                              • Instruction Fuzzy Hash: 9531093191CB888FEB199F1CAC066E97BE0FB55711F00426FE049D3292CA71A855CBC2
                                                              Function 00007FF848E0E540 Relevance: .1, Instructions: 124COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2222783139.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848e0d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83c6d1070e92d4e2e6ea54c64994e3d9f15bf33d42ab2cec32593cbbc6dd3188
                                                              • Instruction ID: e5f2c4991781607dbdec29eaba45debd4b48c4b5715e082df217871d986b8942
                                                              • Opcode Fuzzy Hash: 83c6d1070e92d4e2e6ea54c64994e3d9f15bf33d42ab2cec32593cbbc6dd3188
                                                              • Instruction Fuzzy Hash: B041E37180DBC44FE7569B28A8559523FF0FF57260F150AEFD088CB1A3E625A84AC792
                                                              Function 00007FF848F2A49C Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2223614534.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4a824621e6018280eacfccaea04e9a8c781cd4a2a86bd580fead5c8c82de89eb
                                                              • Instruction ID: 42c7ed1be73a4e708ca153bc7ecf0ff7ad2b4ba10a91584c1089495a004a3dfc
                                                              • Opcode Fuzzy Hash: 4a824621e6018280eacfccaea04e9a8c781cd4a2a86bd580fead5c8c82de89eb
                                                              • Instruction Fuzzy Hash: 0F212B3190C74C4FDB59DB6C984A7E97FF0EB96320F04416FD048C3192DA74A456CB92
                                                              Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2223614534.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                              • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                                                              Function 00007FF848F2A0FB Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2223614534.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d5060b26c9c4196595c55bbb1af58388a76ba94fab78e063f33aaeb1c8b29e73
                                                              • Instruction ID: c6c16936e490efe25eecf06de6b4f23a96065ebdd4b270ba7e81a0e70785ea81
                                                              • Opcode Fuzzy Hash: d5060b26c9c4196595c55bbb1af58388a76ba94fab78e063f33aaeb1c8b29e73
                                                              • Instruction Fuzzy Hash: CFF0F63650DACC4FDB82EF2CA8690E8BF90FF66215B0402EBD448C7161EB224948CB81
                                                              Function 00007FF848FF414D Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2224304227.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6d82cbbbbd25350d8bc705f617a707a25a9cc2f5e89769c505d7f688b3a86633
                                                              • Instruction ID: 66ae661fbd5a3be87ccc885ff1bf18edd84fe351c4df1a48fc64353aaa19cdb4
                                                              • Opcode Fuzzy Hash: 6d82cbbbbd25350d8bc705f617a707a25a9cc2f5e89769c505d7f688b3a86633
                                                              • Instruction Fuzzy Hash: 37F09A32A0C5058FD759EB0CE4058A8B3E0FF64361B1500BBE11DC71A3DB26EC418799
                                                              Function 00007FF848FF4400 Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2224304227.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c8885af5ad30cc68deb735873986eb40f25afbd64c92ebd2db2fa86ab8b5466
                                                              • Instruction ID: e8c0c94e737dee8a32600f0352ba9475bdf1e36c7121b1e40418ddeb0fe4b33d
                                                              • Opcode Fuzzy Hash: 5c8885af5ad30cc68deb735873986eb40f25afbd64c92ebd2db2fa86ab8b5466
                                                              • Instruction Fuzzy Hash: 88F0B832A0C5448FD758EB0CE4458A8B3E0FF04321F0500BBE209EB1A3DB2AAC608764
                                                              Function 00007FF848FF41D1 Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2224304227.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction ID: d769517fa595beb740091979c284fb2f197ba556f1da16d26ccdbdaf57273a59
                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                              • Instruction Fuzzy Hash: 76E0123170C4048FD669EB0CE0409A973E1FBA8361B1101B7E24EC7561C721EC518B84

                                                              Non-executed Functions

                                                              Function 00007FF848F28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2223614534.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                              • API String ID: 0-962139525
                                                              • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                              • Instruction ID: 7fd3566e5afb083c6e6401c0847751e720ad71e5f9896b647dd2248b4652e339
                                                              • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                              • Instruction Fuzzy Hash: FD21D473A29525DAD242366CB8419DD7790EF543B978603F3E028CF193EE1CA48B8A95

                                                              Executed Functions

                                                              Function 00007FF849006605 Relevance: 6.7, Strings: 5, Instructions: 436COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2386601932.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (B$I$(B$I$(B$I$(B$I$(B$I
                                                              • API String ID: 0-3685135179
                                                              • Opcode ID: 215e39bc6a6d01fd9961f7ea86d49bef8207c15ce10cffe8a7c6478cf526d232
                                                              • Instruction ID: 2e488627417fe50c22e28fb33a456c6e3bdb8316e1c30568031d90db23f8d81f
                                                              • Opcode Fuzzy Hash: 215e39bc6a6d01fd9961f7ea86d49bef8207c15ce10cffe8a7c6478cf526d232
                                                              • Instruction Fuzzy Hash: 98D13431D0EACA5FEBA9EF2868155B57BE2EF15794F0802FAD04DD7083EA18D8058352
                                                              Function 00007FF84900431D Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2386601932.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: B$p>$I
                                                              • API String ID: 0-2083648404
                                                              • Opcode ID: af957728218af86be2d58b4af77fa1c0a5e0d556c3d5d81930907b7ba956fb29
                                                              • Instruction ID: 0bd5106a4bf575e590bdd8a1f944564bd554ecf129b0a0524b06ed6bc2e2ab0f
                                                              • Opcode Fuzzy Hash: af957728218af86be2d58b4af77fa1c0a5e0d556c3d5d81930907b7ba956fb29
                                                              • Instruction Fuzzy Hash: 79513332E0DA894FEBB5EE2868596B57BE1EF95360F0801FAD04DC7193FA18EC058355
                                                              Function 00007FF849004073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2386601932.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8>$I
                                                              • API String ID: 0-3301367642
                                                              • Opcode ID: 1870f92e812941a3fe65cd604be2e5dda5c06eaea13cda434fef90c448ad55ee
                                                              • Instruction ID: 209725712dc8905fc0b1f671265b21d0d79dfaa102b9d5612da119bc20e04674
                                                              • Opcode Fuzzy Hash: 1870f92e812941a3fe65cd604be2e5dda5c06eaea13cda434fef90c448ad55ee
                                                              • Instruction Fuzzy Hash: 7E510932E0DA8A4FEBA9EE1C64116B577E2EF54261F5801FAC04DC7193FE24EC158355
                                                              Function 00007FF8490040BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2386601932.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8>$I
                                                              • API String ID: 0-3301367642
                                                              • Opcode ID: fa49a430d40f212e331db909f8c77b7a5d5792c2c5947a2dc579c2cdc3fee228
                                                              • Instruction ID: be02501d0d3c8149e7c1e2cc4e9d5426ca8dee8da0e65f1d9beb17cd83fa12bd
                                                              • Opcode Fuzzy Hash: fa49a430d40f212e331db909f8c77b7a5d5792c2c5947a2dc579c2cdc3fee228
                                                              • Instruction Fuzzy Hash: 5F21CE32E0D98B4FEBB9EE1864515B476E6EF64391B4901F9C01DC71E3FE28EC548249
                                                              Function 00007FF8490043BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2386601932.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: p>$I
                                                              • API String ID: 0-2590420872
                                                              • Opcode ID: 2bcce8ca852d7881c0fb458546faf9925e1aea4b8d80b46a1359a9d095b3cc2e
                                                              • Instruction ID: 7cb64c48b5ef236a8b0c2c89642b994358c0ef680f353fbaedc641468c7a96d4
                                                              • Opcode Fuzzy Hash: 2bcce8ca852d7881c0fb458546faf9925e1aea4b8d80b46a1359a9d095b3cc2e
                                                              • Instruction Fuzzy Hash: 9A11AC32E0E9864FEBA8EE28B4915B877E0EF442A1B4910F6D11DC7197FA18EC548355
                                                              Function 00007FF848F3A0FB Relevance: .3, Instructions: 257COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2385761024.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bc09a9426e04b5a858648ebad98d944b9dc7c2a9b41c5496f081e9561ebcac9c
                                                              • Instruction ID: c1699e5dabf6d1ad8be6444001f65d785b642478ef6c4b5c8b9178daf4af7c83
                                                              • Opcode Fuzzy Hash: bc09a9426e04b5a858648ebad98d944b9dc7c2a9b41c5496f081e9561ebcac9c
                                                              • Instruction Fuzzy Hash: FB11007691EBC54FD757EB385C690947FB0EE53255B0901EBD088CB0A3D6155848CB92
                                                              Function 00007FF848F39758 Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2385761024.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 66b2dacb1a0114d87115785cf94da478efaf5f507dbddac2f6f26a7fd5f5ab7f
                                                              • Instruction ID: 340adfa612f362c67b3b2922e77da824380090d93a9574eb5a004c7de8558ade
                                                              • Opcode Fuzzy Hash: 66b2dacb1a0114d87115785cf94da478efaf5f507dbddac2f6f26a7fd5f5ab7f
                                                              • Instruction Fuzzy Hash: AF412971D1CB889FDB19DF5CA8066F97BE0FB99311F14416FE04983682DB31A8168BC6
                                                              Function 00007FF848E1EC60 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2384769478.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff848e1d000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae02e5e1c25445adf0cddb8c78334c5e523f1134b87a792b41ea79b107603c82
                                                              • Instruction ID: 4da39d87f2c19371f3894c63caa8662ed51bc8c3089a2a67cfd8bb86f6355169
                                                              • Opcode Fuzzy Hash: ae02e5e1c25445adf0cddb8c78334c5e523f1134b87a792b41ea79b107603c82
                                                              • Instruction Fuzzy Hash: 7D41163080DBC45FE7969B399C419523FF0FF56220F1506DFE088CB1A3DA29A846C7A2
                                                              Function 00007FF848F3A8EC Relevance: .1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2385761024.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c8d6e655c7cb077a6c9183f5bbcd250cfed2006150018d555edfb0576b0a9da7
                                                              • Instruction ID: 6573ab0863bd9e109819bf806bae05e530056d6e1e09063cbcf1d3b467bf7e9d
                                                              • Opcode Fuzzy Hash: c8d6e655c7cb077a6c9183f5bbcd250cfed2006150018d555edfb0576b0a9da7
                                                              • Instruction Fuzzy Hash: 36215C7040EB8C4FD719CB689849AF97FE4DF53320F0440AFD089DB163C6685846CB61
                                                              Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2385761024.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                              • Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
                                                              • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                                              • Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

                                                              Non-executed Functions

                                                              Function 00007FF848F38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2385761024.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: L_^4$L_^7$L_^F$L_^J
                                                              • API String ID: 0-3225005683
                                                              • Opcode ID: 1ed3f75e374162ff5dc3a9b463001437dd9c7e6c564b7361b824378401659fab
                                                              • Instruction ID: 0907d21456b919f780f717bd5e1c1cb1acc8cc2b6eeb632774ad829765d359f1
                                                              • Opcode Fuzzy Hash: 1ed3f75e374162ff5dc3a9b463001437dd9c7e6c564b7361b824378401659fab
                                                              • Instruction Fuzzy Hash: A52126B761A025AED3417BBDB8045EE3750DF942B8B4552B3D2988F043EB1C70868AE4

                                                              Executed Functions

                                                              Function 00007FF848FE6605 Relevance: 6.7, Strings: 5, Instructions: 438COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2593708326.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                                                              • API String ID: 0-3570690463
                                                              • Opcode ID: 44215802df8c6f2567cb9d4030d970f00500051bee8ea7e7bed7ca73753e6595
                                                              • Instruction ID: cd3f6d8de382c2e6ba16f49e6ff0fb23df47b0d5be8f2ab4d6c0572dc1812072
                                                              • Opcode Fuzzy Hash: 44215802df8c6f2567cb9d4030d970f00500051bee8ea7e7bed7ca73753e6595
                                                              • Instruction Fuzzy Hash: 25D13231D1EA8E5FEB99AB2858545B57BA1EF163A0F1801FAD04DCB0D3EB1CAC05C355
                                                              Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2593708326.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8>"I
                                                              • API String ID: 0-2459728092
                                                              • Opcode ID: f29de68f4375646d5a7d5d8ce02513c6ef932f462798d24351cc7f8ee545fe1a
                                                              • Instruction ID: 2e23f9abfb4ab6a1bba58e25eadc1b3338d1308e8c994d6ecf0d9229f8e6d00b
                                                              • Opcode Fuzzy Hash: f29de68f4375646d5a7d5d8ce02513c6ef932f462798d24351cc7f8ee545fe1a
                                                              • Instruction Fuzzy Hash: 8951C132A0DE4A4FEB9AEB2C941167577E2EFA5260F1801BEC15DC71D2DF1CE805835A
                                                              Function 00007FF848FE4370 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2593708326.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: p>"I
                                                              • API String ID: 0-3426486286
                                                              • Opcode ID: 74ad9f9e9a82a1be95efc2ce75bf00f5acb41c14206d41c1909788a9aef60d89
                                                              • Instruction ID: 5ff9f24921d75e418d78c73fe4d7bf7cb1c3cd9581526b39b2fa2d65cc8443a5
                                                              • Opcode Fuzzy Hash: 74ad9f9e9a82a1be95efc2ce75bf00f5acb41c14206d41c1909788a9aef60d89
                                                              • Instruction Fuzzy Hash: 1D41F132E0DE494FE7A9EB2864116B47BE1EF64660F0800BEC449C71D7EB1CAC148396
                                                              Function 00007FF848FE40BF Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2593708326.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 8>"I
                                                              • API String ID: 0-2459728092
                                                              • Opcode ID: 245335488103a01fd765844ef1cd24667a0cfe41c522a0bdaabf3c220068cad4
                                                              • Instruction ID: c109bcfc89779ffc461face86fe13b4bfb7d402b722bcd8f60f8e4541ec9215f
                                                              • Opcode Fuzzy Hash: 245335488103a01fd765844ef1cd24667a0cfe41c522a0bdaabf3c220068cad4
                                                              • Instruction Fuzzy Hash: CE215C32E1DE8A4FEBAAEB18945157466D2FF74290F5901BEC15DC72E2CF1CEC04864A
                                                              Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2593708326.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848fe0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: p>"I
                                                              • API String ID: 0-3426486286
                                                              • Opcode ID: 0b96e240f63540fe27e583b63b3e73cf0b1cff70503829a749f5beed23120563
                                                              • Instruction ID: f46be3c1e0bdabfc57f7f7ceb68fa83ab1dc20cf44c1ceaf61ab6f9be348dbde
                                                              • Opcode Fuzzy Hash: 0b96e240f63540fe27e583b63b3e73cf0b1cff70503829a749f5beed23120563
                                                              • Instruction Fuzzy Hash: 61110E32E0E9464FE7A4EB28A8505B87BE1FF64360F4900BAD45DC75D2DB1CAC108396
                                                              Function 00007FF848F19750 Relevance: .2, Instructions: 159COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2592468554.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81fd8a6292ab0acaee0de8abbd9d3069dbcbb603d6fa3f69b75be04b913b952f
                                                              • Instruction ID: 0231dabdc6aa7dcd3d555a5a5ed6457d0f19201736a8ed83b8af85c284a305ac
                                                              • Opcode Fuzzy Hash: 81fd8a6292ab0acaee0de8abbd9d3069dbcbb603d6fa3f69b75be04b913b952f
                                                              • Instruction Fuzzy Hash: 3A41287190DF885FD7199B2CAC0A6A97FF0FB55710F0441AFD04883697CA64AC4A87C2
                                                              Function 00007FF848F1A4BC Relevance: .1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2592468554.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 638e5de4b7a46d32e6e3f15e85bfeace2d1608a48ddfaa48fc3d1f0fcccc253d
                                                              • Instruction ID: 2b48549274d65bf1ed5f3f6abc818299bfb1e313aaca624a1a5fb5fd4501e886
                                                              • Opcode Fuzzy Hash: 638e5de4b7a46d32e6e3f15e85bfeace2d1608a48ddfaa48fc3d1f0fcccc253d
                                                              • Instruction Fuzzy Hash: 7F21F83190CB4C4FEB59DF6C984A7E97FE0EB56321F04426FD048C31A2DA74A856CB91
                                                              Function 00007FF848DFEC0A Relevance: .1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2591192032.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848dfd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 56aa5e453022c23b1a11b30f7221258a02d5268071a2a4b225b1e62e4f26950c
                                                              • Instruction ID: 235b91ea2b09669e8ab5fdc3b73e76ac5f8e4ab582198de106a6deba0bd466a4
                                                              • Opcode Fuzzy Hash: 56aa5e453022c23b1a11b30f7221258a02d5268071a2a4b225b1e62e4f26950c
                                                              • Instruction Fuzzy Hash: CC11913190DF088FD768EF2DE48595237E0FB94360B10069AE55DCB166D730E885CB91
                                                              Function 00007FF848F1A0FB Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2592468554.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3891e0474397ecde3bd55922d0ce139b5672badaee7f6930e0a567de8ee2dde7
                                                              • Instruction ID: 9c7db15b25b0a1aebdf2685ce77295b40870e90e4eac3ee66e6f917026285156
                                                              • Opcode Fuzzy Hash: 3891e0474397ecde3bd55922d0ce139b5672badaee7f6930e0a567de8ee2dde7
                                                              • Instruction Fuzzy Hash: FD01C07A948A894FD756EF38A8640E4BB90EF25361B0401BBD008C7092EB258D4ACB81
                                                              Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2592468554.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                              • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                              • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

                                                              Non-executed Functions

                                                              Function 00007FF848F18BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2592468554.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                                              • API String ID: 0-2388461625
                                                              • Opcode ID: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                              • Instruction ID: 198e3087ebbfc7504edfa98630f772db252869f6143ea1114750b6929877bbe0
                                                              • Opcode Fuzzy Hash: 0a17b3c452628a29204579af913d24a375679f0f8c5c8a70c7dd2c4491a07189
                                                              • Instruction Fuzzy Hash: D0212973A1A5119AC30137BCBC515D97B91EF543B874502F3E218CF113DE1C648B8796
                                                              Function 00007FF848F185FA Relevance: 5.2, Strings: 4, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.2592468554.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_7ff848f10000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: N_^$N_^$N_^$N_^
                                                              • API String ID: 0-1196809394
                                                              • Opcode ID: 1f3e6c1188beaa0858394a0f11b428f9d9d1cf687485ef12e9a37396cd662476
                                                              • Instruction ID: fd081dfeb2153d407b4f17821b9c92420f134b751f6728d11167d5c30b158607
                                                              • Opcode Fuzzy Hash: 1f3e6c1188beaa0858394a0f11b428f9d9d1cf687485ef12e9a37396cd662476
                                                              • Instruction Fuzzy Hash: 4E41A272D1EAD25FE3569B3968690E12F90EF22794F9D00FAC0998B0D3EE1D5C468316