Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I8YtUAUWeS.exe

Overview

General Information

Sample name:I8YtUAUWeS.exe
renamed because original name is a hash value
Original sample name:dd4c271013a197bb197b6d0558d98c05374d337a57cc5fefd5ef1ec8f01f8608.exe
Analysis ID:1532617
MD5:a30dc93d4ccb4526ac16beb598787e80
SHA1:1acaf45fe7837744ce5dfb0c56794b002743d851
SHA256:dd4c271013a197bb197b6d0558d98c05374d337a57cc5fefd5ef1ec8f01f8608
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • I8YtUAUWeS.exe (PID: 6968 cmdline: "C:\Users\user\Desktop\I8YtUAUWeS.exe" MD5: A30DC93D4CCB4526AC16BEB598787E80)
    • powershell.exe (PID: 6532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'I8YtUAUWeS.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3436 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6412 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5260 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 3160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • System User (PID: 4580 cmdline: "C:\Users\user\AppData\Roaming\System User" MD5: A30DC93D4CCB4526AC16BEB598787E80)
  • System User (PID: 5500 cmdline: "C:\Users\user\AppData\Roaming\System User" MD5: A30DC93D4CCB4526AC16BEB598787E80)
  • OpenWith.exe (PID: 5280 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • svchost.exe (PID: 4292 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • OpenWith.exe (PID: 3948 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
  • System User (PID: 1172 cmdline: "C:\Users\user\AppData\Roaming\System User" MD5: A30DC93D4CCB4526AC16BEB598787E80)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["147.185.221.23"], "Port": "19686", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
I8YtUAUWeS.exeJoeSecurity_XWormYara detected XWormJoe Security
    I8YtUAUWeS.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xef0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xefa7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xf0bc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xe342:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\System UserJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\System UserMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xef0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xefa7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xf0bc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xe342:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xed0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xeda7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xeebc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xe142:$cnc4: POST / HTTP/1.1
        Process Memory Space: I8YtUAUWeS.exe PID: 6968JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.I8YtUAUWeS.exe.fe0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.I8YtUAUWeS.exe.fe0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xef0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xefa7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xf0bc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xe342:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\I8YtUAUWeS.exe", ParentImage: C:\Users\user\Desktop\I8YtUAUWeS.exe, ParentProcessId: 6968, ParentProcessName: I8YtUAUWeS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', ProcessId: 6532, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\I8YtUAUWeS.exe", ParentImage: C:\Users\user\Desktop\I8YtUAUWeS.exe, ParentProcessId: 6968, ParentProcessName: I8YtUAUWeS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', ProcessId: 6532, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\System User, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\I8YtUAUWeS.exe, ProcessId: 6968, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System User
            Sigma detected: Execution of Suspicious File Type Extension
            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\System User", CommandLine: "C:\Users\user\AppData\Roaming\System User", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\System User, NewProcessName: C:\Users\user\AppData\Roaming\System User, OriginalFileName: C:\Users\user\AppData\Roaming\System User, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: "C:\Users\user\AppData\Roaming\System User", ProcessId: 4580, ProcessName: System User
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\I8YtUAUWeS.exe", ParentImage: C:\Users\user\Desktop\I8YtUAUWeS.exe, ParentProcessId: 6968, ParentProcessName: I8YtUAUWeS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', ProcessId: 6532, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\I8YtUAUWeS.exe, ProcessId: 6968, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\I8YtUAUWeS.exe", ParentImage: C:\Users\user\Desktop\I8YtUAUWeS.exe, ParentProcessId: 6968, ParentProcessName: I8YtUAUWeS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User", ProcessId: 5260, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\I8YtUAUWeS.exe", ParentImage: C:\Users\user\Desktop\I8YtUAUWeS.exe, ParentProcessId: 6968, ParentProcessName: I8YtUAUWeS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe', ProcessId: 6532, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4292, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-13T18:55:59.271339+020028559241Malware Command and Control Activity Detected192.168.2.549987147.185.221.2319686TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: I8YtUAUWeS.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\System UserAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: I8YtUAUWeS.exeMalware Configuration Extractor: Xworm {"C2 url": ["147.185.221.23"], "Port": "19686", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for domain / URL
            Source: 147.185.221.23Virustotal: Detection: 12%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\System UserReversingLabs: Detection: 78%
            Source: C:\Users\user\AppData\Roaming\System UserVirustotal: Detection: 69%Perma Link
            Multi AV Scanner detection for submitted file
            Source: I8YtUAUWeS.exeVirustotal: Detection: 69%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\System UserJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: I8YtUAUWeS.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: I8YtUAUWeS.exeString decryptor: 147.185.221.23
            Source: I8YtUAUWeS.exeString decryptor: 19686
            Source: I8YtUAUWeS.exeString decryptor: <123456789>
            Source: I8YtUAUWeS.exeString decryptor: <Xwormmm>
            Source: I8YtUAUWeS.exeString decryptor: XWorm V5.6
            Source: I8YtUAUWeS.exeString decryptor: USB.exe
            Source: I8YtUAUWeS.exeString decryptor: %AppData%
            Source: I8YtUAUWeS.exeString decryptor: System User
            Source: I8YtUAUWeS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: I8YtUAUWeS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49974 -> 147.185.221.23:19686
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49987 -> 147.185.221.23:19686
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 147.185.221.23
            Source: global trafficTCP traffic: 192.168.2.5:49974 -> 147.185.221.23:19686
            Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: unknownTCP traffic detected without corresponding DNS query: 147.185.221.23
            Source: powershell.exe, 00000005.00000002.2274143073.00000210FAEFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micr
            Source: powershell.exe, 0000000A.00000002.2618590988.000001C2623B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsK
            Source: powershell.exe, 0000000A.00000002.2611369943.000001C262265000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
            Source: svchost.exe, 00000013.00000002.3299228135.000001EC0740F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
            Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
            Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
            Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
            Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
            Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
            Source: qmgr.db.19.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
            Source: qmgr.db.19.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
            Source: powershell.exe, 00000002.00000002.2122053980.00000202F1FB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2248965441.00000210F2862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403033636.0000022E3A051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.2101074004.00000202E2169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E2A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E2A208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: I8YtUAUWeS.exe, 00000000.00000002.3300789464.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2101074004.00000202E1F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E27F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E29FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C249EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.2101074004.00000202E2169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E2A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E2A208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000002.00000002.2128743212.00000202FA5DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2127918335.00000202FA450000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
            Source: powershell.exe, 00000005.00000002.2271190975.00000210FACC5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mioft.sito
            Source: powershell.exe, 00000002.00000002.2101074004.00000202E1F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E27F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E29FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C249EA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
            Source: svchost.exe, 00000013.00000003.2761258612.000001EC07340000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
            Source: powershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.2122053980.00000202F1FB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2248965441.00000210F2862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403033636.0000022E3A051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: qmgr.db.19.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: I8YtUAUWeS.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.I8YtUAUWeS.exe.fe0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\System User, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeCode function: 0_2_00007FF848F216890_2_00007FF848F21689
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeCode function: 0_2_00007FF848F292D20_2_00007FF848F292D2
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeCode function: 0_2_00007FF848F281160_2_00007FF848F28116
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeCode function: 0_2_00007FF848F216C90_2_00007FF848F216C9
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeCode function: 0_2_00007FF848F2205D0_2_00007FF848F2205D
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeCode function: 0_2_00007FF848F20EFA0_2_00007FF848F20EFA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FF30E95_2_00007FF848FF30E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF8490030E98_2_00007FF8490030E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF8490132C010_2_00007FF8490132C0
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 16_2_00007FF848F3168916_2_00007FF848F31689
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 16_2_00007FF848F30E7816_2_00007FF848F30E78
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 16_2_00007FF848F316C916_2_00007FF848F316C9
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 16_2_00007FF848F3205D16_2_00007FF848F3205D
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 17_2_00007FF848F3168917_2_00007FF848F31689
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 17_2_00007FF848F30E7817_2_00007FF848F30E78
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 17_2_00007FF848F316C917_2_00007FF848F316C9
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 17_2_00007FF848F3205D17_2_00007FF848F3205D
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 21_2_00007FF848F2168921_2_00007FF848F21689
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 21_2_00007FF848F20E7821_2_00007FF848F20E78
            Source: C:\Users\user\AppData\Roaming\System UserCode function: 21_2_00007FF848F216C921_2_00007FF848F216C9
            Source: I8YtUAUWeS.exe, 00000000.00000000.2026323499.0000000000FF4000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs I8YtUAUWeS.exe
            Source: I8YtUAUWeS.exeBinary or memory string: OriginalFilenameXClient.exe4 vs I8YtUAUWeS.exe
            Source: I8YtUAUWeS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: I8YtUAUWeS.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.I8YtUAUWeS.exe.fe0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\System User, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: I8YtUAUWeS.exe, hHtToY5ZUKLuPOSbeLRo3.csCryptographic APIs: 'TransformFinalBlock'
            Source: I8YtUAUWeS.exe, hHtToY5ZUKLuPOSbeLRo3.csCryptographic APIs: 'TransformFinalBlock'
            Source: I8YtUAUWeS.exe, m2BAhhlsewW0hqPyyepxZ.csCryptographic APIs: 'TransformFinalBlock'
            Source: System User.0.dr, hHtToY5ZUKLuPOSbeLRo3.csCryptographic APIs: 'TransformFinalBlock'
            Source: System User.0.dr, hHtToY5ZUKLuPOSbeLRo3.csCryptographic APIs: 'TransformFinalBlock'
            Source: System User.0.dr, m2BAhhlsewW0hqPyyepxZ.csCryptographic APIs: 'TransformFinalBlock'
            Source: I8YtUAUWeS.exe, tJSWYob5ALVVIoCyBPv29bnBd9LyK66uvMWR7XmhHxUa28f3rr8ZZziGcdDFX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: I8YtUAUWeS.exe, tJSWYob5ALVVIoCyBPv29bnBd9LyK66uvMWR7XmhHxUa28f3rr8ZZziGcdDFX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: System User.0.dr, tJSWYob5ALVVIoCyBPv29bnBd9LyK66uvMWR7XmhHxUa28f3rr8ZZziGcdDFX.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: System User.0.dr, tJSWYob5ALVVIoCyBPv29bnBd9LyK66uvMWR7XmhHxUa28f3rr8ZZziGcdDFX.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: I8YtUAUWeS.exe, 00000000.00000002.3289351917.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ;.VBP
            Source: classification engineClassification label: mal100.troj.evad.winEXE@22/25@0/2
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile created: C:\Users\user\AppData\Roaming\System UserJump to behavior
            Source: C:\Users\user\AppData\Roaming\System UserMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5280:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1964:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3948:120:WilError_03
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeMutant created: \Sessions\1\BaseNamedObjects\01yUEO8vZx2S0uqM
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3160:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: I8YtUAUWeS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: I8YtUAUWeS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: I8YtUAUWeS.exeVirustotal: Detection: 69%
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile read: C:\Users\user\Desktop\I8YtUAUWeS.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\I8YtUAUWeS.exe "C:\Users\user\Desktop\I8YtUAUWeS.exe"
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'I8YtUAUWeS.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User "C:\Users\user\AppData\Roaming\System User"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User "C:\Users\user\AppData\Roaming\System User"
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\System User "C:\Users\user\AppData\Roaming\System User"
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'I8YtUAUWeS.exe'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User"Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: cryptbase.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\System UserSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: System User.lnk.0.drLNK file: ..\..\..\..\..\System User
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: I8YtUAUWeS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: I8YtUAUWeS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: I8YtUAUWeS.exe, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.vsfszfZwpJRYoGBIm0EFmIoCsFXyGLU8JCqUTxhJzsWXQWkdYA7lgk4NiT4Ib,F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.uq2FfzDlfpp7Tve1ug28zFNduX4k5EMgK7vh7s93DAzpWDWCgIBOw3RuCtiSE,F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.fFSnlrpyh9dVJXH3rEQ905u7qEf6fhgX3BLzQsXabhS2LCGfQVIqMKt7H0C4B,F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.Yu8FEoZEwgzqzWSlCuzdRR0lhsWKCCcDwJEfQ9baiFURVfBMuk9IcK2Ei6uGD,hHtToY5ZUKLuPOSbeLRo3.TSuzSDhNG1ZUuLLMySK2d()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: I8YtUAUWeS.exe, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_5jJZRtmGijnYl5NNYdT9bUo7sJxMp339aIAq[2],hHtToY5ZUKLuPOSbeLRo3.fMfWiN53vfCBXzCXq5miX(Convert.FromBase64String(_5jJZRtmGijnYl5NNYdT9bUo7sJxMp339aIAq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: System User.0.dr, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.vsfszfZwpJRYoGBIm0EFmIoCsFXyGLU8JCqUTxhJzsWXQWkdYA7lgk4NiT4Ib,F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.uq2FfzDlfpp7Tve1ug28zFNduX4k5EMgK7vh7s93DAzpWDWCgIBOw3RuCtiSE,F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.fFSnlrpyh9dVJXH3rEQ905u7qEf6fhgX3BLzQsXabhS2LCGfQVIqMKt7H0C4B,F2ftAawcuzEO8EoZsDiuySQ9Yu74GfJdBz9j7yySeOFjaYyVmyWjG26fJsbzq.Yu8FEoZEwgzqzWSlCuzdRR0lhsWKCCcDwJEfQ9baiFURVfBMuk9IcK2Ei6uGD,hHtToY5ZUKLuPOSbeLRo3.TSuzSDhNG1ZUuLLMySK2d()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: System User.0.dr, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_5jJZRtmGijnYl5NNYdT9bUo7sJxMp339aIAq[2],hHtToY5ZUKLuPOSbeLRo3.fMfWiN53vfCBXzCXq5miX(Convert.FromBase64String(_5jJZRtmGijnYl5NNYdT9bUo7sJxMp339aIAq[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: I8YtUAUWeS.exe, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: x8CILnd5u9OZnX1o1ApqB72O8wj485mwQQXR System.AppDomain.Load(byte[])
            Source: I8YtUAUWeS.exe, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: SgzPOYj6vfPnA6sdhyYsCjh0oc2v4SO9h18k System.AppDomain.Load(byte[])
            Source: I8YtUAUWeS.exe, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: SgzPOYj6vfPnA6sdhyYsCjh0oc2v4SO9h18k
            Source: System User.0.dr, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: x8CILnd5u9OZnX1o1ApqB72O8wj485mwQQXR System.AppDomain.Load(byte[])
            Source: System User.0.dr, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: SgzPOYj6vfPnA6sdhyYsCjh0oc2v4SO9h18k System.AppDomain.Load(byte[])
            Source: System User.0.dr, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.cs.Net Code: SgzPOYj6vfPnA6sdhyYsCjh0oc2v4SO9h18k
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848E0D2A5 pushad ; iretd 2_2_00007FF848E0D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FF2316 push 8B485F93h; iretd 2_2_00007FF848FF231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E0D2A5 pushad ; iretd 5_2_00007FF848E0D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F2C2C5 push ebx; iretd 5_2_00007FF848F2C2DA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848FF2316 push 8B485F93h; iretd 5_2_00007FF848FF231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E1D2A5 pushad ; iretd 8_2_00007FF848E1D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF849002316 push 8B485F92h; iretd 8_2_00007FF84900231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848E2D2A5 pushad ; iretd 10_2_00007FF848E2D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF849012316 push 8B485F91h; iretd 10_2_00007FF84901231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF849014F00 push eax; ret 10_2_00007FF849014F01
            Source: I8YtUAUWeS.exe, WfTrhtXeQWEAFAKOxC2wAKuGvsKGCyJE5CuZo2YsFjbVf9eOhBMBjN.csHigh entropy of concatenated method names: 'uW2VSTbE4JjZGezYk1skEmXgX8NOqNMTVYY8y1Sf8wlvlQipt665Y0', 'j84QqiLnBILpIb9PNe8PnQ4dEe2es7T8M3C1F06lHyfgMJkw7nQgmj', 'vQf5QeMLL4nnnYZvUUIM2dYMewS9FZyxua9cnPrZaMGNzf2ib9TKO6', '_9wFQiadgxeU6oUpjV3eLiOTdDfdVLqJtpYOmp6eCthaIcjNI', 'qJi60NICvmnXVg7mzrKsD2GbLUOALBfVFO7qpO2lPIrNYhye', 'duG9S3w5D6no7GfF9U7KU5eRsV41fiGlx66iK30Bb0MKdZhd', 'Qq8RDPDceMVALyi6z992avhjkSivkiuckbSjsD5LZ5xvXE805x6Ee7SY5YmbPj7SM629bnr16ud7B24u5', 'yDFIbfVMy2vrwwotTtWPZPWLYnAz2KZuUThUJ0U4eAV93MZgRhuo7ymwJFKaKcQeVxFKHzWWEEPxuG3Ak', 'w4zyo0TiL0FYuw06DuZeysx2eGs5MDwDFecxMJfsconutMVHv14ZEcTV6nbYTJ5X8xitIJHT6P8FCwjyW', 'LjPhDsmaHLg8aGtZhbE9cqlKrEuvlEUo5jChBphPV257qdG24mMGOJM039vLyeGJLKyRf4iOSVvWcXU1X'
            Source: I8YtUAUWeS.exe, tJSWYob5ALVVIoCyBPv29bnBd9LyK66uvMWR7XmhHxUa28f3rr8ZZziGcdDFX.csHigh entropy of concatenated method names: 'C0ej2MWqmaPKK1mW6BeO9xsTlCP5hHj7KLqMFHXA2VSNT0Ni2Yik53bliW0jC', 'uNsWUIkhPcbrX5ZeN8URP2x9bvB8MmhT4ms6p4VdFa6qzRBaVEU4dHJPxnNAi', 'BLmbqeWmqIOYiA3dj1pZxYpgdUlIS34szOX3JydfkhpLjdQe0sfag40hUwkhO4uySF0TdLzXndx630cHmB12vZittezydQ', 'TP8NRj5IM9AqZjHIJiXbIHz7AozAGHF2RJSTvmornxYYvcUZHSve3qOf3rPzC5XCSo2asYMUo33Sp4nzBg2iFsQbp095jc', 'x8zab12CRbkSJOb5lGvNoUPO8zfJtF7fztAH9rQ0H6rr5ffIQegUgzMigEnsUNabWnv2IcVcqKtjJfiY1FO7ICRWWe6yvr', 'Jiaj1rKd9jzdwsKsjOLrUPCYl32C2yw5zwTctWaH2EQIPRKFOiybSvKpmtBAg70bKpDxXWD99UgG0JfIeebpA8Fz0kHW8C', 'dFZ5FVzZIqWxxEElxXCnzO9aeOxPVnRXjr51LhWJzmMOIhFd2UEafdjIaYAXEQRAJpA8OnFzHCsL0STmZKauNtgjfBq8TI', '_61dMEnzMOcG92IhiIu4ImnAHaVRKv7mJIVbjJscVsCoD5gLh0LJC0HhQaEAQBjARuOGV9Ru3aznnB6c1zOSVNCpH3vV4rn', 'uQEnGA1YaFB16i0p0kc2HHXcw2hkjtgxah92IWNReNN91Os5FXpW2GtGvI8VMq0wfyMtNZqiOeCojgbabyAOAbSXSbgxql', 'bAH4Y3h8R4SGsM6WFIRQunffGU1UmL3EvZhGaVpwahpHianVDhaiJIckJxpVppRoD5Uji7Sk5ReGzKkSrRhRDfu1Xya6Dy'
            Source: I8YtUAUWeS.exe, ErSGz8ongezEn78Fpy4EKwa1iDlgtTEoF5vR.csHigh entropy of concatenated method names: 'PFOwcNbwVhfu1kwxK0rYqAS5bVCPk0LB3JLG', 'IEpZeNznCc8zhqZutxiDPpsCpoqIToanAwBx', 'rpCAwrldLGEInRmfESPoDQCL8ALGeUF4B0Ek', 'EDfOJPM9TMuSYaDrkDsmp', 'MxwyfMiOoaZ1Qo2P55nXc', 'MdmyKuNr3HoYifPg8WSxI', 'Q0v28dKWtuGd4o16sJgtd', 'EtxYZEAreCKJyB4WVXfdO', 'NqH3I7i66KW21iI9uSnvS', '_8qJzDrBKaVeNawgMFBk7i'
            Source: I8YtUAUWeS.exe, wmqo1kVztBSWD6AutimS2.csHigh entropy of concatenated method names: 'GxC9eifom7K9FvgD3yzH8', 'OhKoErFIssYiyy3LCQSK8', 'KClnLWQiuNO3dYdWc3VZi', 'GQKbPg63ELXxjVprRX0oA', 'Ahni1Q7ewajQQMg1kR0Nre3uCraCmTf', 'S9X8AFOqd58a3JusHeluamXaLb6YD8MlcAmqhfKGnPaMX8UR70ufNgkC5wfFonb', 'ZDMWUJauOnjhzHTAXE6pARDhV5DO9ii1V4Dxk7LOmWuwm8PsJh1xhZcCECnahZn', 'zB3G7MlXpjukAf5MnAfwe1mO3ZmuSU0SHjT2do8b4zrhDxCVH5fCpbocBEWyMU6', 'mb6Nxnzo4ElsF6VP6KXjxVXYBnWLNkWwLT26M5vv5Cl4jERnc0jKaMxbWt3Wxln', 'gjevFFcWpM9pdtIezNPaH6sj8zZMQ6TCSBVPtEeavd2zkjzjwrvINX7FR9puaVw'
            Source: I8YtUAUWeS.exe, hHtToY5ZUKLuPOSbeLRo3.csHigh entropy of concatenated method names: '_0lxfdS5IDagvH9KeaRWmX', 'Wm2EVKtvOplz5fphzYndv', 'fDI6JiCZc3BFsWdAabPYl', 'pJJxydD52CYdywHxRWeC5', 'DUYjs87FuTnRZKE4vEp8m', '_5Wk8TLb5JIDI4TebG2BVB', 'rgFPxMdttXlit41rddOFQ', 'qi7kmID8lksedyDuvnTh7', 'TpbxDbS6KSUFDTh69OrmK', 'yqXG6gOjHB70SOGHi7pl0'
            Source: I8YtUAUWeS.exe, m2BAhhlsewW0hqPyyepxZ.csHigh entropy of concatenated method names: 'pWSe8zkiPqcWuOUgAovjs', 'kmcnpxKkbAUSZ5HgWXPQsz6Wxfum14VtBmqSfy0OXmSNG3KApsmlKNLOQbyTh9g', 'eTBXf6N6uIeoAGqpG5qkm96IhY9q1BmR0l9qWaggAvBUeVnxjCg7fvMyI5HCnIa', 'fg8CwqZfXKrRLhAeYKMzu690Caep3c6ZE74DqzeCXkTi7L4kOKlF2nQBmfsEq4z', 'NU0NPuT8hbbnEDAcyT3yCHzOW2V7JK6DYjjINUdFBC0Jck9sQtx5AWcNoXC4NGq'
            Source: I8YtUAUWeS.exe, c1T49VdNjnFNWHNe7BfemsLpfH9la8dlIMI3.csHigh entropy of concatenated method names: 'RkbVBkLfO8NHFqk3z9YM3BknzshPXyT3LLRB', 'r1uhEUnLBhHdqg3YE4q5dVl3f1u1Znc', 'Dwyv7BNNJWqoUjOFs7dByQSS2Xly2mU', 'shb1pCLWPp26aMsIgHxy8enRNTCBhy0', 'QUFdo5hErYe2wRGVmpQ0HiDEZ5Wxoif'
            Source: I8YtUAUWeS.exe, aJjxApcjLvIQefRJQMiXpTQQXVYlAtzb5U3lQMUs0XMfbBd4Kzbhrms7DMWoX.csHigh entropy of concatenated method names: 'hIkJnrNr96LqDtKOldg69Kg7DO8EvmH26jdvLe1IPt2cqhXQ5COojMZuTKtOI', '_2Swd3q3t67jCeXOafMliAueiYSeUF3xmGSAjljnmRInfXM3vsftOdW84FZYKD', 'EtyXXAp4m0p48XS3KW7htmPwohsjQwFHWBUE28UVL4vt1eb4tVpIhKSiOtng7', '_7w3wyqcdjyhdTJf7SGKmUunm4NqEouUgSfp9UCJh6WoC3ieEmwhcMsbmq7XeT', '_6RZjweNTdkL5wuYg9FEKQNWwQdZEHnMYic3WazDXV5PWYKx2CXzQqgmduUdAH', 'xTBD0wUsKuIrM', 'PvWPlYDbuqBgC', 'khryWFOwj7XMm', 'QUyhPoYGXuGnU', 'kbO2heX9lLi3N'
            Source: I8YtUAUWeS.exe, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.csHigh entropy of concatenated method names: 'q8NYbNPhzHN4RpmaQYGKDnSX8ymXJmz1rOHC', 'x8CILnd5u9OZnX1o1ApqB72O8wj485mwQQXR', 'Fq2BbVHpHhhanH6SySjxHzs17rezqXwe75kL', 'oa5kjBDQ75Xz5hU4lftqFL2TC2HpOHdMkD6m', 'acBNiRSLDQZ8gLpMXt8elGO0tQyZ93scqEBB', '_9Bzz4iODSVfDgVY3KO7xOWWtUMmeZdFrJxqP', 'KFp5VAIFgvIzlvm2sOYef57rg41yL2s3NqNf', 'j084DKIL77L5arWjU7u4BzsvPYWJERkcU8IG', 'zurXwoU9IIDBQIrRplTzVyW75ePKD90fSoFg', '_0wKLKPN72KVIvdUAhel3uUuYt57lcAg0cGT8'
            Source: System User.0.dr, WfTrhtXeQWEAFAKOxC2wAKuGvsKGCyJE5CuZo2YsFjbVf9eOhBMBjN.csHigh entropy of concatenated method names: 'uW2VSTbE4JjZGezYk1skEmXgX8NOqNMTVYY8y1Sf8wlvlQipt665Y0', 'j84QqiLnBILpIb9PNe8PnQ4dEe2es7T8M3C1F06lHyfgMJkw7nQgmj', 'vQf5QeMLL4nnnYZvUUIM2dYMewS9FZyxua9cnPrZaMGNzf2ib9TKO6', '_9wFQiadgxeU6oUpjV3eLiOTdDfdVLqJtpYOmp6eCthaIcjNI', 'qJi60NICvmnXVg7mzrKsD2GbLUOALBfVFO7qpO2lPIrNYhye', 'duG9S3w5D6no7GfF9U7KU5eRsV41fiGlx66iK30Bb0MKdZhd', 'Qq8RDPDceMVALyi6z992avhjkSivkiuckbSjsD5LZ5xvXE805x6Ee7SY5YmbPj7SM629bnr16ud7B24u5', 'yDFIbfVMy2vrwwotTtWPZPWLYnAz2KZuUThUJ0U4eAV93MZgRhuo7ymwJFKaKcQeVxFKHzWWEEPxuG3Ak', 'w4zyo0TiL0FYuw06DuZeysx2eGs5MDwDFecxMJfsconutMVHv14ZEcTV6nbYTJ5X8xitIJHT6P8FCwjyW', 'LjPhDsmaHLg8aGtZhbE9cqlKrEuvlEUo5jChBphPV257qdG24mMGOJM039vLyeGJLKyRf4iOSVvWcXU1X'
            Source: System User.0.dr, tJSWYob5ALVVIoCyBPv29bnBd9LyK66uvMWR7XmhHxUa28f3rr8ZZziGcdDFX.csHigh entropy of concatenated method names: 'C0ej2MWqmaPKK1mW6BeO9xsTlCP5hHj7KLqMFHXA2VSNT0Ni2Yik53bliW0jC', 'uNsWUIkhPcbrX5ZeN8URP2x9bvB8MmhT4ms6p4VdFa6qzRBaVEU4dHJPxnNAi', 'BLmbqeWmqIOYiA3dj1pZxYpgdUlIS34szOX3JydfkhpLjdQe0sfag40hUwkhO4uySF0TdLzXndx630cHmB12vZittezydQ', 'TP8NRj5IM9AqZjHIJiXbIHz7AozAGHF2RJSTvmornxYYvcUZHSve3qOf3rPzC5XCSo2asYMUo33Sp4nzBg2iFsQbp095jc', 'x8zab12CRbkSJOb5lGvNoUPO8zfJtF7fztAH9rQ0H6rr5ffIQegUgzMigEnsUNabWnv2IcVcqKtjJfiY1FO7ICRWWe6yvr', 'Jiaj1rKd9jzdwsKsjOLrUPCYl32C2yw5zwTctWaH2EQIPRKFOiybSvKpmtBAg70bKpDxXWD99UgG0JfIeebpA8Fz0kHW8C', 'dFZ5FVzZIqWxxEElxXCnzO9aeOxPVnRXjr51LhWJzmMOIhFd2UEafdjIaYAXEQRAJpA8OnFzHCsL0STmZKauNtgjfBq8TI', '_61dMEnzMOcG92IhiIu4ImnAHaVRKv7mJIVbjJscVsCoD5gLh0LJC0HhQaEAQBjARuOGV9Ru3aznnB6c1zOSVNCpH3vV4rn', 'uQEnGA1YaFB16i0p0kc2HHXcw2hkjtgxah92IWNReNN91Os5FXpW2GtGvI8VMq0wfyMtNZqiOeCojgbabyAOAbSXSbgxql', 'bAH4Y3h8R4SGsM6WFIRQunffGU1UmL3EvZhGaVpwahpHianVDhaiJIckJxpVppRoD5Uji7Sk5ReGzKkSrRhRDfu1Xya6Dy'
            Source: System User.0.dr, ErSGz8ongezEn78Fpy4EKwa1iDlgtTEoF5vR.csHigh entropy of concatenated method names: 'PFOwcNbwVhfu1kwxK0rYqAS5bVCPk0LB3JLG', 'IEpZeNznCc8zhqZutxiDPpsCpoqIToanAwBx', 'rpCAwrldLGEInRmfESPoDQCL8ALGeUF4B0Ek', 'EDfOJPM9TMuSYaDrkDsmp', 'MxwyfMiOoaZ1Qo2P55nXc', 'MdmyKuNr3HoYifPg8WSxI', 'Q0v28dKWtuGd4o16sJgtd', 'EtxYZEAreCKJyB4WVXfdO', 'NqH3I7i66KW21iI9uSnvS', '_8qJzDrBKaVeNawgMFBk7i'
            Source: System User.0.dr, wmqo1kVztBSWD6AutimS2.csHigh entropy of concatenated method names: 'GxC9eifom7K9FvgD3yzH8', 'OhKoErFIssYiyy3LCQSK8', 'KClnLWQiuNO3dYdWc3VZi', 'GQKbPg63ELXxjVprRX0oA', 'Ahni1Q7ewajQQMg1kR0Nre3uCraCmTf', 'S9X8AFOqd58a3JusHeluamXaLb6YD8MlcAmqhfKGnPaMX8UR70ufNgkC5wfFonb', 'ZDMWUJauOnjhzHTAXE6pARDhV5DO9ii1V4Dxk7LOmWuwm8PsJh1xhZcCECnahZn', 'zB3G7MlXpjukAf5MnAfwe1mO3ZmuSU0SHjT2do8b4zrhDxCVH5fCpbocBEWyMU6', 'mb6Nxnzo4ElsF6VP6KXjxVXYBnWLNkWwLT26M5vv5Cl4jERnc0jKaMxbWt3Wxln', 'gjevFFcWpM9pdtIezNPaH6sj8zZMQ6TCSBVPtEeavd2zkjzjwrvINX7FR9puaVw'
            Source: System User.0.dr, hHtToY5ZUKLuPOSbeLRo3.csHigh entropy of concatenated method names: '_0lxfdS5IDagvH9KeaRWmX', 'Wm2EVKtvOplz5fphzYndv', 'fDI6JiCZc3BFsWdAabPYl', 'pJJxydD52CYdywHxRWeC5', 'DUYjs87FuTnRZKE4vEp8m', '_5Wk8TLb5JIDI4TebG2BVB', 'rgFPxMdttXlit41rddOFQ', 'qi7kmID8lksedyDuvnTh7', 'TpbxDbS6KSUFDTh69OrmK', 'yqXG6gOjHB70SOGHi7pl0'
            Source: System User.0.dr, m2BAhhlsewW0hqPyyepxZ.csHigh entropy of concatenated method names: 'pWSe8zkiPqcWuOUgAovjs', 'kmcnpxKkbAUSZ5HgWXPQsz6Wxfum14VtBmqSfy0OXmSNG3KApsmlKNLOQbyTh9g', 'eTBXf6N6uIeoAGqpG5qkm96IhY9q1BmR0l9qWaggAvBUeVnxjCg7fvMyI5HCnIa', 'fg8CwqZfXKrRLhAeYKMzu690Caep3c6ZE74DqzeCXkTi7L4kOKlF2nQBmfsEq4z', 'NU0NPuT8hbbnEDAcyT3yCHzOW2V7JK6DYjjINUdFBC0Jck9sQtx5AWcNoXC4NGq'
            Source: System User.0.dr, c1T49VdNjnFNWHNe7BfemsLpfH9la8dlIMI3.csHigh entropy of concatenated method names: 'RkbVBkLfO8NHFqk3z9YM3BknzshPXyT3LLRB', 'r1uhEUnLBhHdqg3YE4q5dVl3f1u1Znc', 'Dwyv7BNNJWqoUjOFs7dByQSS2Xly2mU', 'shb1pCLWPp26aMsIgHxy8enRNTCBhy0', 'QUFdo5hErYe2wRGVmpQ0HiDEZ5Wxoif'
            Source: System User.0.dr, aJjxApcjLvIQefRJQMiXpTQQXVYlAtzb5U3lQMUs0XMfbBd4Kzbhrms7DMWoX.csHigh entropy of concatenated method names: 'hIkJnrNr96LqDtKOldg69Kg7DO8EvmH26jdvLe1IPt2cqhXQ5COojMZuTKtOI', '_2Swd3q3t67jCeXOafMliAueiYSeUF3xmGSAjljnmRInfXM3vsftOdW84FZYKD', 'EtyXXAp4m0p48XS3KW7htmPwohsjQwFHWBUE28UVL4vt1eb4tVpIhKSiOtng7', '_7w3wyqcdjyhdTJf7SGKmUunm4NqEouUgSfp9UCJh6WoC3ieEmwhcMsbmq7XeT', '_6RZjweNTdkL5wuYg9FEKQNWwQdZEHnMYic3WazDXV5PWYKx2CXzQqgmduUdAH', 'xTBD0wUsKuIrM', 'PvWPlYDbuqBgC', 'khryWFOwj7XMm', 'QUyhPoYGXuGnU', 'kbO2heX9lLi3N'
            Source: System User.0.dr, BROYha18Q9tck7WBEVi5TM5RuapCrS8H7tdE.csHigh entropy of concatenated method names: 'q8NYbNPhzHN4RpmaQYGKDnSX8ymXJmz1rOHC', 'x8CILnd5u9OZnX1o1ApqB72O8wj485mwQQXR', 'Fq2BbVHpHhhanH6SySjxHzs17rezqXwe75kL', 'oa5kjBDQ75Xz5hU4lftqFL2TC2HpOHdMkD6m', 'acBNiRSLDQZ8gLpMXt8elGO0tQyZ93scqEBB', '_9Bzz4iODSVfDgVY3KO7xOWWtUMmeZdFrJxqP', 'KFp5VAIFgvIzlvm2sOYef57rg41yL2s3NqNf', 'j084DKIL77L5arWjU7u4BzsvPYWJERkcU8IG', 'zurXwoU9IIDBQIrRplTzVyW75ePKD90fSoFg', '_0wKLKPN72KVIvdUAhel3uUuYt57lcAg0cGT8'
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile created: C:\Users\user\AppData\Roaming\System UserJump to dropped file
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile created: C:\Users\user\AppData\Roaming\System UserJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User"
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnkJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run System UserJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\System UserProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeMemory allocated: 1830000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeMemory allocated: 1B2E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\System UserMemory allocated: 14E0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System UserMemory allocated: 1B1A0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System UserMemory allocated: E70000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System UserMemory allocated: 1A890000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System UserMemory allocated: 1300000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\System UserMemory allocated: 1B0D0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System UserThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System UserThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWindow / User API: threadDelayed 753Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWindow / User API: threadDelayed 9091Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3773Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5892Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7590Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2085Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7944Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1659Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3744
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5956
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exe TID: 1480Thread sleep time: -35971150943733603s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 348Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -5534023222112862s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616Thread sleep count: 7944 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 616Thread sleep count: 1659 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1816Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144Thread sleep count: 3744 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3144Thread sleep count: 5956 > 30
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5972Thread sleep time: -4611686018427385s >= -30000s
            Source: C:\Users\user\AppData\Roaming\System User TID: 6368Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\System User TID: 2408Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\svchost.exe TID: 2516Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\System UserFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\System UserFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\System UserFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System UserThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\System UserThread delayed: delay time: 922337203685477
            Source: I8YtUAUWeS.exe, 00000000.00000002.3336101265.000000001C060000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3299753988.000001EC07455000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.3295760138.000001EC01E27000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: I8YtUAUWeS.exe, 00000000.00000002.3289351917.0000000001550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\System UserProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\System UserProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\System UserProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe'
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User'
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe'
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'I8YtUAUWeS.exe'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User"Jump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeQueries volume information: C:\Users\user\Desktop\I8YtUAUWeS.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\System UserQueries volume information: C:\Users\user\AppData\Roaming\System User VolumeInformation
            Source: C:\Users\user\AppData\Roaming\System UserQueries volume information: C:\Users\user\AppData\Roaming\System User VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Users\user\AppData\Roaming\System UserQueries volume information: C:\Users\user\AppData\Roaming\System User VolumeInformation
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: I8YtUAUWeS.exe, 00000000.00000002.3289351917.0000000001550000.00000004.00000020.00020000.00000000.sdmp, I8YtUAUWeS.exe, 00000000.00000002.3336101265.000000001C0E3000.00000004.00000020.00020000.00000000.sdmp, I8YtUAUWeS.exe, 00000000.00000002.3289351917.0000000001570000.00000004.00000020.00020000.00000000.sdmp, I8YtUAUWeS.exe, 00000000.00000002.3336101265.000000001C10B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\I8YtUAUWeS.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: I8YtUAUWeS.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.I8YtUAUWeS.exe.fe0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: I8YtUAUWeS.exe PID: 6968, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: I8YtUAUWeS.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.I8YtUAUWeS.exe.fe0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: I8YtUAUWeS.exe PID: 6968, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\System User, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		21
            Masquerading            		OS Credential Dumping231
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		141
            Virtualization/Sandbox Evasion            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials23
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532617 Sample: I8YtUAUWeS.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 14 other signatures 2->49 7 I8YtUAUWeS.exe 1 6 2->7         started        12 svchost.exe 2->12         started        14 System User 2->14         started        16 4 other processes 2->16 process3 dnsIp4 39 147.185.221.23, 19686, 49974, 49986 SALSGIVERUS United States 7->39 37 C:\Users\user\AppData\Roaming\System User, PE32 7->37 dropped 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->53 55 Protects its processes via BreakOnTermination flag 7->55 57 Bypasses PowerShell execution policy 7->57 59 2 other signatures 7->59 18 powershell.exe 23 7->18         started        21 powershell.exe 22 7->21         started        23 powershell.exe 23 7->23         started        25 2 other processes 7->25 41 127.0.0.1 unknown unknown 12->41 file5 signatures6 process7 signatures8 51 Loading BitLocker PowerShell Module 18->51 27 conhost.exe 18->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        35 conhost.exe 25->35         started        process9

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            I8YtUAUWeS.exe70%VirustotalBrowse
            I8YtUAUWeS.exe100%AviraTR/Spy.Gen
            I8YtUAUWeS.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\System User100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Roaming\System User100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\System User79%ReversingLabsByteCode-MSIL.Backdoor.XWormRAT
            C:\Users\user\AppData\Roaming\System User70%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://g.live.com/odclientsettings/ProdV2.C:0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
            147.185.221.2312%VirustotalBrowse
            https://g.live.com/odclientsettings/Prod/C:0%VirustotalBrowse
            http://www.microsoft.0%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            147.185.221.23trueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://g.live.com/odclientsettings/Prod/C:edb.log.19.dr, qmgr.db.19.drfalseunknown
            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2122053980.00000202F1FB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2248965441.00000210F2862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403033636.0000022E3A051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.microsopowershell.exe, 0000000A.00000002.2611369943.000001C262265000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2101074004.00000202E2169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E2A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E2A208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              http://crl.microsKpowershell.exe, 0000000A.00000002.2618590988.000001C2623B0000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2101074004.00000202E2169000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E2A19000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E2A208000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2122053980.00000202F1FB2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2248965441.00000210F2862000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2403033636.0000022E3A051000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2590606690.000001C259F10000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.ver)svchost.exe, 00000013.00000002.3299228135.000001EC0740F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000013.00000003.2761258612.000001EC07340000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.powershell.exe, 00000002.00000002.2128743212.00000202FA5DB000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2127918335.00000202FA450000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                  https://aka.ms/pscore68powershell.exe, 00000002.00000002.2101074004.00000202E1F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E27F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E29FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C249EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.micrpowershell.exe, 00000005.00000002.2274143073.00000210FAEFA000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameI8YtUAUWeS.exe, 00000000.00000002.3300789464.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2101074004.00000202E1F41000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2175055839.00000210E27F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2306695024.0000022E29FE1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2462131219.000001C249EA1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.mioft.sitopowershell.exe, 00000005.00000002.2271190975.00000210FACC5000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2462131219.000001C24A0C8000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      147.185.221.23
                      		unknownUnited States
                      		12087SALSGIVERUStrue

                      Private

                      IP
                      127.0.0.1

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1532617
                      Start date and time:2024-10-13 18:53:05 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 18s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:22
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:I8YtUAUWeS.exe
                      renamed because original name is a hash value
                      Original Sample Name:dd4c271013a197bb197b6d0558d98c05374d337a57cc5fefd5ef1ec8f01f8608.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@22/25@0/2
                      EGA Information:
                      • Successful, ratio: 12.5%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 80
                      • Number of non-executed functions: 9
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 184.28.90.27
                      • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target System User, PID 1172 because it is empty
                      • Execution Graph export aborted for target System User, PID 4580 because it is empty
                      • Execution Graph export aborted for target System User, PID 5500 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 3436 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 5252 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 6412 because it is empty
                      • Execution Graph export aborted for target powershell.exe, PID 6532 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      12:53:58API Interceptor57x Sleep call for process: powershell.exe modified
                      12:54:56API Interceptor41382x Sleep call for process: I8YtUAUWeS.exe modified
                      12:55:06API Interceptor2x Sleep call for process: OpenWith.exe modified
                      12:55:07API Interceptor2x Sleep call for process: svchost.exe modified
                      18:54:56Task SchedulerRun new task: System User path: C:\Users\user\AppData\Roaming\System s>User
                      18:54:58AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User
                      18:55:06AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run System User C:\Users\user\AppData\Roaming\System User
                      18:55:14AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      147.185.221.23s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                        W1FREE.exeGet hashmaliciousXWormBrowse
                          x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                            H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                              A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                H1N45BQJ8x.exeGet hashmaliciousXWormBrowse

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  SALSGIVERUSs3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.23
                                  W1FREE.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.23
                                  dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.22
                                  Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.18
                                  7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.18
                                  432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.22
                                  5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                  • 147.185.221.17
                                  l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.22
                                  Windows Defender.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.22
                                  x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                  • 147.185.221.23

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1310720
                                  Entropy (8bit):0.8307223949851177
                                  Encrypted:false
                                  SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugL:gJjJGtpTq2yv1AuNZRY3diu8iBVqFd
                                  MD5:D5150E7BE569E95ED6E0F0B5AA741F81
                                  SHA1:9D60CBAD37FAC1957F61AE3FD2950D460DF48A88
                                  SHA-256:25C8B0F1CC4BA2C3224108D6B4F049921C5A08710A0C812F938279BD4722B704
                                  SHA-512:4A6A5FBB37303D228F5225C8B6A8D2B65226545D97AF541BDEA0D5ABD713C540A0B10E728FD5EB9CEA28BC940A8D24E878992A1DFD6EBD4A3D2D3D73182F13C9
                                  Malicious:false
                                  Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x48b142e9, page size 16384, DirtyShutdown, Windows version 10.0
                                  Category:dropped
                                  Size (bytes):1310720
                                  Entropy (8bit):0.6586027839230305
                                  Encrypted:false
                                  SSDEEP:1536:JSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:Jaza9v5hYe92UOHDnAPZ4PZf9h/9h
                                  MD5:C44113AF1B526812334762DACCF849BF
                                  SHA1:646D74B24A39FF31244CE10B342A7D1950171FF6
                                  SHA-256:2582E5BB4BDB98B06D9A6D21E0D78F10C9D01A0C6BD549B0F37A2E9EF6D57FC0
                                  SHA-512:E4EF49DC3E5655A0913BB7AF60BEEDA91A105C87F36A2F7658D206B27E066942ED4590382A81E6832EB8525BB3708AF834EF7D9989C37D8004DC6AD272166B80
                                  Malicious:false
                                  Preview:H.B.... ...............X\...;...{......................0.z..........{...7...|].h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{....................................._.7...|]......................7...|]..........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                  C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):16384
                                  Entropy (8bit):0.08018332545885108
                                  Encrypted:false
                                  SSDEEP:3:oSl/EYeVZ47GuAJkhvekl1+i/vG4llrekGltll/SPj:odzVZ47rxlSoJe3l
                                  MD5:1A5EF59F0262108EBA991E98987F38C3
                                  SHA1:6628D76DC5D0BA87E7FA9A06746A1A40927A4388
                                  SHA-256:F42E5FE2EDF3F68734BE1493B19A5D7BB121CD89B2AA51A86F85393124CA611C
                                  SHA-512:6D39381B844BA6D7A1439942981496CA89B48BE0BC87D1C98FC338B7F1A060B78292401844C83D858ACC636065B324199ED5C17BC725FECA7C0B289D9CEE4EAF
                                  Malicious:false
                                  Preview:........................................;...{...7...|]......{...............{.......{...XL......{.......................7...|].........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.log

                                  Download File
                                  Process:C:\Users\user\AppData\Roaming\System User
                                  File Type:CSV text
                                  Category:dropped
                                  Size (bytes):654
                                  Entropy (8bit):5.380476433908377
                                  Encrypted:false
                                  SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                  MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                  SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                  SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                  SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):64
                                  Entropy (8bit):0.34726597513537405
                                  Encrypted:false
                                  SSDEEP:3:Nlll:Nll
                                  MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                  SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                  SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                  SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                  Malicious:false
                                  Preview:@...e...........................................................

                                  C:\Users\user\AppData\Local\Temp\Log.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\I8YtUAUWeS.exe
                                  File Type:Generic INItialization configuration [WIN]
                                  Category:dropped
                                  Size (bytes):64
                                  Entropy (8bit):3.6722687970803873
                                  Encrypted:false
                                  SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                  MD5:DE63D53293EBACE29F3F54832D739D40
                                  SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                  SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                  SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                  Malicious:false
                                  Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24faipop.y05.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24n3jbl3.ngk.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj2c2e2r.uvd.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekqdfyc2.5xv.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3mbwosb.lgb.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcxhqtgk.ji4.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gl3hoeq1.0o0.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbaiwadm.fsy.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p55zf3nn.che.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxg4ciea.txp.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgkm03yo.vza.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0ojefhf.v2r.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_swoq54dy.glm.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vexyftkz.y54.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0t3uxtp.5uz.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yxoysyw0.2qs.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk

                                  Download File
                                  Process:C:\Users\user\Desktop\I8YtUAUWeS.exe
                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 15:54:55 2024, mtime=Sun Oct 13 15:54:55 2024, atime=Sun Oct 13 15:54:55 2024, length=70144, window=hide
                                  Category:dropped
                                  Size (bytes):763
                                  Entropy (8bit):5.05370803931683
                                  Encrypted:false
                                  SSDEEP:12:8tVig4fR4+88CMtlhlsY//ozJLZ89L+WlHFjAC9lHHlnlCfH7aHc5c3mV:8tVmfC8JXhZwxC9pACHqTa8y3m
                                  MD5:1157D104491866EA0C68C7FE70E3625C
                                  SHA1:97E62C540FA163693BABBCB00CA4A0A3B41A214E
                                  SHA-256:3D846687CD49916BBA65E8652ED17B0603D1FC3E406DA6F7D8C6A0E31315976A
                                  SHA-512:B2AF66E5EBFA2F316ED79F051CCF46DF9C5121A3BB242C938FF6B982292AE8B9E097494B499401B66240DBC7224437B9162BAC040993A17BAF35D86AA2E94508
                                  Malicious:false
                                  Preview:L..................F.... ...%.v.....%.v.....%.v.............................t.:..DG..Yr?.D..U..k0.&...&...... M........x....y0..........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlMY......B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....MY....Roaming.@......DWSlMY......C.........................R.o.a.m.i.n.g.....`.2.....MY. .SYSTEM~1..H......MY.MY......*.......................S.y.s.t.e.m. .U.s.e.r.......Z...............-.......Y...........t.'......C:\Users\user\AppData\Roaming\System User........\.....\.....\.....\.....\.S.y.s.t.e.m. .U.s.e.r.`.......X.......051829...........hT..CrF.f4... ..9......,...W..hT..CrF.f4... ..9......,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                  C:\Users\user\AppData\Roaming\System User

                                  Download File
                                  Process:C:\Users\user\Desktop\I8YtUAUWeS.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):70144
                                  Entropy (8bit):5.979535740179108
                                  Encrypted:false
                                  SSDEEP:1536:tJ9q/zoKLGy0VWkgY6Zh+bli9v67vGZO+knnVRZ:8boKLjkeYA+bl7vGZOnnnnZ
                                  MD5:A30DC93D4CCB4526AC16BEB598787E80
                                  SHA1:1ACAF45FE7837744CE5DFB0C56794B002743D851
                                  SHA-256:DD4C271013A197BB197B6D0558D98C05374D337A57CC5FEFD5EF1EC8F01F8608
                                  SHA-512:A68F5A7F088B3D35D1B5FFEA4E26AA67E3E4904F0D79AA5BEA96678EBF03BB09CA7B24F6DF853A851E6DF46FE6C7E257F1EF437BA8A05BE3C7D55B4B39DAC7B4
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User, Author: ditekSHen
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 79%
                                  • Antivirus: Virustotal, Detection: 70%, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g.............................'... ...@....@.. ....................................@.................................8'..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p'......H.......X_..........&.....................................................(....*.r...p*. =...*..(....*.ro..p*. .(T.*.s.........s.........s.........s.........*.r...p*.r...p*. ...*.r...p*. S...*.r...p*. {...*.r...p*..((...*.r...p*. r.d.*.r...p*. .x!.*"(....+.*&(....&+.*.+5sZ... .... .'..o[...(,...~....-.(G...(9...~....o\...&.-.*.r...p*. ....*.r...p*. ....*.r...p*. o...*.r7..p*. .8F.*.rS..p*. ....*.ro..p*. .&..*..............j..................s]..............*"(I...+.*:.t....(

                                  C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                  Download File
                                  Process:C:\Windows\System32\svchost.exe
                                  File Type:JSON data
                                  Category:dropped
                                  Size (bytes):55
                                  Entropy (8bit):4.306461250274409
                                  Encrypted:false
                                  SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                  MD5:DCA83F08D448911A14C22EBCACC5AD57
                                  SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                  SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                  SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                  Malicious:false
                                  Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.979535740179108
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:I8YtUAUWeS.exe
                                  File size:70'144 bytes
                                  MD5:a30dc93d4ccb4526ac16beb598787e80
                                  SHA1:1acaf45fe7837744ce5dfb0c56794b002743d851
                                  SHA256:dd4c271013a197bb197b6d0558d98c05374d337a57cc5fefd5ef1ec8f01f8608
                                  SHA512:a68f5a7f088b3d35d1b5ffea4e26aa67e3e4904f0d79aa5bea96678ebf03bb09ca7b24f6df853a851e6df46fe6c7e257f1ef437ba8a05be3c7d55b4b39dac7b4
                                  SSDEEP:1536:tJ9q/zoKLGy0VWkgY6Zh+bli9v67vGZO+knnVRZ:8boKLjkeYA+bl7vGZOnnnnZ
                                  TLSH:E4637B1C3BE64526D0FFAFF04EE67156CA39F3135903EA6F64D502865623A88CE406F6
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.g.............................'... ...@....@.. ....................................@................................

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0x41278e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x670B3A94 [Sun Oct 13 03:12:20 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x127380x53.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ce.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x107940x108006f8742140bf113140514b6acb21eb8e5False0.6008078835227273data6.057518623519667IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0x140000x4ce0x600f9052177c59fad11b6e11866b69a673fFalse0.375data3.726864092899557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x160000xc0x200484e531fb532e0e536ca0df678a185daFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0x140a00x244data0.4724137931034483
                                  RT_MANIFEST0x142e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-13T18:55:08.689696+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549974147.185.221.2319686TCP
                                  2024-10-13T18:55:59.271339+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549987147.185.221.2319686TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 13, 2024 18:54:57.542234898 CEST4997419686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:54:57.601063013 CEST1968649974147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:54:57.601428986 CEST4997419686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:54:57.704823971 CEST4997419686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:54:57.709683895 CEST1968649974147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:08.689696074 CEST4997419686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:08.694874048 CEST1968649974147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:18.985549927 CEST1968649974147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:18.986011982 CEST4997419686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:20.399954081 CEST4997419686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:20.401523113 CEST4998619686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:20.406194925 CEST1968649974147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:20.407883883 CEST1968649986147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:20.408056021 CEST4998619686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:20.486001968 CEST4998619686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:20.492558002 CEST1968649986147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:33.259838104 CEST4998619686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:33.265208006 CEST1968649986147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:41.779148102 CEST1968649986147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:41.779339075 CEST4998619686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:44.415627956 CEST4998619686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:44.416474104 CEST4998719686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:44.420583963 CEST1968649986147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:44.421446085 CEST1968649987147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:44.421526909 CEST4998719686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:44.447974920 CEST4998719686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:44.452963114 CEST1968649987147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:55:59.271338940 CEST4998719686192.168.2.5147.185.221.23
                                  Oct 13, 2024 18:55:59.276534081 CEST1968649987147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:56:05.796031952 CEST1968649987147.185.221.23192.168.2.5
                                  Oct 13, 2024 18:56:05.796248913 CEST4998719686192.168.2.5147.185.221.23

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:12:53:54
                                  Start date:13/10/2024
                                  Path:C:\Users\user\Desktop\I8YtUAUWeS.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\I8YtUAUWeS.exe"
                                  Imagebase:0xfe0000
                                  File size:70'144 bytes
                                  MD5 hash:A30DC93D4CCB4526AC16BEB598787E80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2026291446.0000000000FE2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:12:53:57
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\I8YtUAUWeS.exe'
                                  Imagebase:0x7ff7be880000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:12:53:57
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:12:54:05
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'I8YtUAUWeS.exe'
                                  Imagebase:0x7ff7be880000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:12:54:05
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:12:54:19
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\System User'
                                  Imagebase:0x7ff7be880000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:9
                                  Start time:12:54:19
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:12:54:35
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
                                  Imagebase:0x7ff7be880000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:11
                                  Start time:12:54:35
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:12:54:55
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\schtasks.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\user\AppData\Roaming\System User"
                                  Imagebase:0x7ff6f07d0000
                                  File size:235'008 bytes
                                  MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:15
                                  Start time:12:54:55
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff6d64d0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:16
                                  Start time:12:54:56
                                  Start date:13/10/2024
                                  Path:C:\Users\user\AppData\Roaming\System User
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Roaming\System User"
                                  Imagebase:0xf90000
                                  File size:70'144 bytes
                                  MD5 hash:A30DC93D4CCB4526AC16BEB598787E80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\System User, Author: Joe Security
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\System User, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 79%, ReversingLabs
                                  • Detection: 70%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:17
                                  Start time:12:55:02
                                  Start date:13/10/2024
                                  Path:C:\Users\user\AppData\Roaming\System User
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Roaming\System User"
                                  Imagebase:0x620000
                                  File size:70'144 bytes
                                  MD5 hash:A30DC93D4CCB4526AC16BEB598787E80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:18
                                  Start time:12:55:06
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\OpenWith.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                  Imagebase:0x7ff73d800000
                                  File size:123'984 bytes
                                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:19
                                  Start time:12:55:07
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\svchost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                  Imagebase:0x7ff7e52b0000
                                  File size:55'320 bytes
                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  General

                                  Target ID:20
                                  Start time:12:55:14
                                  Start date:13/10/2024
                                  Path:C:\Windows\System32\OpenWith.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                                  Imagebase:0x7ff73d800000
                                  File size:123'984 bytes
                                  MD5 hash:E4A834784FA08C17D47A1E72429C5109
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Has exited:true

                                  General

                                  Target ID:21
                                  Start time:12:56:00
                                  Start date:13/10/2024
                                  Path:C:\Users\user\AppData\Roaming\System User
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\AppData\Roaming\System User"
                                  Imagebase:0xdb0000
                                  File size:70'144 bytes
                                  MD5 hash:A30DC93D4CCB4526AC16BEB598787E80
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:22%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:6
                                    Total number of Limit Nodes:0
                                    execution_graph 4482 7ff848f23648 4484 7ff848f23651 SetWindowsHookExW 4482->4484 4485 7ff848f23721 4484->4485 4486 7ff848f23018 4487 7ff848f23021 RtlSetProcessIsCritical 4486->4487 4489 7ff848f23202 4487->4489

                                    Executed Functions

                                    Function 00007FF848F21689 Relevance: 2.1, Strings: 1, Instructions: 808COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 7ff848f21689-7ff848f21698 1 7ff848f2169a-7ff848f216b7 0->1 2 7ff848f216e0-7ff848f21700 0->2 6 7ff848f216b9-7ff848f216c5 1->6 3 7ff848f21f28-7ff848f21f6f 2->3 4 7ff848f21706-7ff848f21714 call 7ff848f20558 2->4 10 7ff848f21719-7ff848f21835 call 7ff848f20558 * 7 call 7ff848f20688 4->10 47 7ff848f2183e call 7ff848f20490 10->47 48 7ff848f21837 10->48 50 7ff848f21843-7ff848f218af call 7ff848f20358 call 7ff848f20368 47->50 48->47 60 7ff848f218b1-7ff848f218bb 50->60 61 7ff848f218c2-7ff848f218d2 50->61 60->61 64 7ff848f218fa 61->64 65 7ff848f218d4-7ff848f218f3 call 7ff848f20358 61->65 68 7ff848f21904-7ff848f2191a 64->68 65->64 71 7ff848f2192b-7ff848f21942 68->71 72 7ff848f2191c-7ff848f21926 call 7ff848f20378 68->72 75 7ff848f2194a-7ff848f2196a 71->75 72->71 77 7ff848f21972-7ff848f21975 75->77 78 7ff848f2197f-7ff848f2198f call 7ff848f20e78 77->78 82 7ff848f21a2f-7ff848f21abd 78->82 83 7ff848f21995-7ff848f21a2a 78->83 102 7ff848f21ac4-7ff848f21ae1 call 7ff848f211a0 call 7ff848f21188 82->102 83->102 108 7ff848f21ae6-7ff848f21af7 102->108 110 7ff848f21b01-7ff848f21b19 call 7ff848f20388 108->110 112 7ff848f21b1e-7ff848f21b22 110->112 113 7ff848f21b2e-7ff848f21b40 call 7ff848f20398 112->113 116 7ff848f21b4a-7ff848f21b71 113->116 118 7ff848f21b78-7ff848f21b84 116->118 119 7ff848f21b90-7ff848f21bc0 118->119 124 7ff848f21bcb-7ff848f21bf3 119->124 125 7ff848f21bfa-7ff848f21c02 124->125 126 7ff848f21c50-7ff848f21c83 125->126 127 7ff848f21c04-7ff848f21c1b 125->127 138 7ff848f21ca8-7ff848f21cd8 126->138 139 7ff848f21c85-7ff848f21ca6 126->139 132 7ff848f21c1d-7ff848f21c23 127->132 133 7ff848f21c25-7ff848f21c37 127->133 132->133 133->126 137 7ff848f21c39-7ff848f21c46 133->137 137->126 141 7ff848f21c48-7ff848f21c4e 137->141 143 7ff848f21ce0-7ff848f21d17 138->143 139->143 141->126 149 7ff848f21d19-7ff848f21d3a 143->149 150 7ff848f21d3c-7ff848f21d6c 143->150 152 7ff848f21d74-7ff848f21d83 149->152 150->152 153 7ff848f21d85-7ff848f21db0 152->153 154 7ff848f21db7-7ff848f21dbe 153->154 155 7ff848f21dc0-7ff848f21dd5 call 7ff848f203a8 154->155 157 7ff848f21dda-7ff848f21de0 155->157 158 7ff848f21de7-7ff848f21de8 call 7ff848f20628 157->158 160 7ff848f21ded-7ff848f21e37 158->160 165 7ff848f21e3e-7ff848f21e3f 160->165 166 7ff848f21e46-7ff848f21e4c call 7ff848f20e78 165->166 169 7ff848f21e54-7ff848f21e56 166->169 170 7ff848f21e58 call 7ff848f21108 169->170 171 7ff848f21e5d-7ff848f21eb9 169->171 170->171 179 7ff848f21ebb-7ff848f21ec0 171->179 180 7ff848f21ec1-7ff848f21ef6 171->180 179->180
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CAN_^
                                    • API String ID: 0-3098826533
                                    • Opcode ID: 24aeaae23c0a4f2565e0f0adec61c398ec1ed486c20afd819d607675d38adcc8
                                    • Instruction ID: 95a9ce55a82bca47b3cbc96afdcb246f3263c8454f590ed77127bebc9ab6bd1e
                                    • Opcode Fuzzy Hash: 24aeaae23c0a4f2565e0f0adec61c398ec1ed486c20afd819d607675d38adcc8
                                    • Instruction Fuzzy Hash: D442E331E2DA099FE798FB38945A6B9B7E2FF98340F540579D00EC32C6DE2DA8418745
                                    Function 00007FF848F216C9 Relevance: 1.9, Strings: 1, Instructions: 662COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 184 7ff848f216c9-7ff848f21700 186 7ff848f21f28-7ff848f21f6f 184->186 187 7ff848f21706-7ff848f21835 call 7ff848f20558 * 8 call 7ff848f20688 184->187 228 7ff848f2183e-7ff848f218af call 7ff848f20490 call 7ff848f20358 call 7ff848f20368 187->228 229 7ff848f21837 187->229 241 7ff848f218b1-7ff848f218bb 228->241 242 7ff848f218c2-7ff848f218d2 228->242 229->228 241->242 245 7ff848f218fa-7ff848f2191a 242->245 246 7ff848f218d4-7ff848f218f3 call 7ff848f20358 242->246 252 7ff848f2192b-7ff848f2198f call 7ff848f20e78 245->252 253 7ff848f2191c-7ff848f21926 call 7ff848f20378 245->253 246->245 263 7ff848f21a2f-7ff848f21abd 252->263 264 7ff848f21995-7ff848f21a2a 252->264 253->252 283 7ff848f21ac4-7ff848f21c02 call 7ff848f211a0 call 7ff848f21188 call 7ff848f20388 call 7ff848f20398 263->283 264->283 307 7ff848f21c50-7ff848f21c83 283->307 308 7ff848f21c04-7ff848f21c1b 283->308 319 7ff848f21ca8-7ff848f21cd8 307->319 320 7ff848f21c85-7ff848f21ca6 307->320 313 7ff848f21c1d-7ff848f21c23 308->313 314 7ff848f21c25-7ff848f21c37 308->314 313->314 314->307 318 7ff848f21c39-7ff848f21c46 314->318 318->307 322 7ff848f21c48-7ff848f21c4e 318->322 324 7ff848f21ce0-7ff848f21d17 319->324 320->324 322->307 330 7ff848f21d19-7ff848f21d3a 324->330 331 7ff848f21d3c-7ff848f21d6c 324->331 333 7ff848f21d74-7ff848f21e56 call 7ff848f203a8 call 7ff848f20628 call 7ff848f20e78 330->333 331->333 351 7ff848f21e58 call 7ff848f21108 333->351 352 7ff848f21e5d-7ff848f21eb9 333->352 351->352 360 7ff848f21ebb-7ff848f21ec0 352->360 361 7ff848f21ec1-7ff848f21ef6 352->361 360->361
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: CAN_^
                                    • API String ID: 0-3098826533
                                    • Opcode ID: 85e8cf0c5a8c50aa4a898aecba92d08e47a982a85d500a814fa91fa35271e7c5
                                    • Instruction ID: eb252255abf729bb933a9c2fc49c2ff2ac46acc5b2ac8e365aff37d5c0343cf4
                                    • Opcode Fuzzy Hash: 85e8cf0c5a8c50aa4a898aecba92d08e47a982a85d500a814fa91fa35271e7c5
                                    • Instruction Fuzzy Hash: CF22F131E2DA099FE798F738945A2B976E2FF98780F540579D00EC32C6DE2DAC418749
                                    Function 00007FF848F28116 Relevance: .5, Instructions: 475COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 784 7ff848f28116-7ff848f28123 785 7ff848f2812e-7ff848f281f7 784->785 786 7ff848f28125-7ff848f2812d 784->786 790 7ff848f281f9-7ff848f28202 785->790 791 7ff848f28263 785->791 786->785 790->791 792 7ff848f28204-7ff848f28210 790->792 793 7ff848f28265-7ff848f2828a 791->793 794 7ff848f28249-7ff848f28261 792->794 795 7ff848f28212-7ff848f28224 792->795 800 7ff848f2828c-7ff848f28295 793->800 801 7ff848f282f6 793->801 794->793 796 7ff848f28228-7ff848f2823b 795->796 797 7ff848f28226 795->797 796->796 799 7ff848f2823d-7ff848f28245 796->799 797->796 799->794 800->801 803 7ff848f28297-7ff848f282a3 800->803 802 7ff848f282f8-7ff848f283a0 801->802 814 7ff848f2840e 802->814 815 7ff848f283a2-7ff848f283ac 802->815 804 7ff848f282dc-7ff848f282f4 803->804 805 7ff848f282a5-7ff848f282b7 803->805 804->802 807 7ff848f282bb-7ff848f282ce 805->807 808 7ff848f282b9 805->808 807->807 809 7ff848f282d0-7ff848f282d8 807->809 808->807 809->804 816 7ff848f28410-7ff848f28439 814->816 815->814 817 7ff848f283ae-7ff848f283bb 815->817 824 7ff848f2843b-7ff848f28446 816->824 825 7ff848f284a3 816->825 818 7ff848f283bd-7ff848f283cf 817->818 819 7ff848f283f4-7ff848f2840c 817->819 820 7ff848f283d3-7ff848f283e6 818->820 821 7ff848f283d1 818->821 819->816 820->820 823 7ff848f283e8-7ff848f283f0 820->823 821->820 823->819 824->825 827 7ff848f28448-7ff848f28456 824->827 826 7ff848f284a5-7ff848f28536 825->826 835 7ff848f2853c-7ff848f2854b 826->835 828 7ff848f28458-7ff848f2846a 827->828 829 7ff848f2848f-7ff848f284a1 827->829 831 7ff848f2846e-7ff848f28481 828->831 832 7ff848f2846c 828->832 829->826 831->831 833 7ff848f28483-7ff848f2848b 831->833 832->831 833->829 836 7ff848f2854d 835->836 837 7ff848f28553-7ff848f285b8 call 7ff848f285d4 835->837 836->837 844 7ff848f285ba 837->844 845 7ff848f285bf-7ff848f285d3 837->845 844->845
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d10c06696b5d1019f1f7b0e7260fb77f30e1e218619fbe87d7705a32ef558880
                                    • Instruction ID: 4266f49ec863326709412c25a429c124324f5428c536613ce87f92aa3bfd714a
                                    • Opcode Fuzzy Hash: d10c06696b5d1019f1f7b0e7260fb77f30e1e218619fbe87d7705a32ef558880
                                    • Instruction Fuzzy Hash: 2DF1C23091CA8D8FEBA8EF28D8557E937E1FF54350F44426AE84DC72D5DB35A8418B82
                                    Function 00007FF848F292D2 Relevance: .5, Instructions: 461COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 846 7ff848f292d2-7ff848f292df 847 7ff848f292ea-7ff848f293b7 846->847 848 7ff848f292e1-7ff848f292e9 846->848 852 7ff848f293b9-7ff848f293c2 847->852 853 7ff848f29423 847->853 848->847 852->853 854 7ff848f293c4-7ff848f293d0 852->854 855 7ff848f29425-7ff848f2944a 853->855 856 7ff848f29409-7ff848f29421 854->856 857 7ff848f293d2-7ff848f293e4 854->857 862 7ff848f2944c-7ff848f29455 855->862 863 7ff848f294b6 855->863 856->855 858 7ff848f293e8-7ff848f293fb 857->858 859 7ff848f293e6 857->859 858->858 861 7ff848f293fd-7ff848f29405 858->861 859->858 861->856 862->863 865 7ff848f29457-7ff848f29463 862->865 864 7ff848f294b8-7ff848f294dd 863->864 872 7ff848f2954b 864->872 873 7ff848f294df-7ff848f294e9 864->873 866 7ff848f2949c-7ff848f294b4 865->866 867 7ff848f29465-7ff848f29477 865->867 866->864 868 7ff848f2947b-7ff848f2948e 867->868 869 7ff848f29479 867->869 868->868 871 7ff848f29490-7ff848f29498 868->871 869->868 871->866 874 7ff848f2954d-7ff848f2957b 872->874 873->872 875 7ff848f294eb-7ff848f294f8 873->875 881 7ff848f295eb 874->881 882 7ff848f2957d-7ff848f29588 874->882 876 7ff848f294fa-7ff848f2950c 875->876 877 7ff848f29531-7ff848f29549 875->877 879 7ff848f2950e 876->879 880 7ff848f29510-7ff848f29523 876->880 877->874 879->880 880->880 883 7ff848f29525-7ff848f2952d 880->883 885 7ff848f295ed-7ff848f296c5 881->885 882->881 884 7ff848f2958a-7ff848f29598 882->884 883->877 886 7ff848f2959a-7ff848f295ac 884->886 887 7ff848f295d1-7ff848f295e9 884->887 895 7ff848f296cb-7ff848f296da 885->895 888 7ff848f295ae 886->888 889 7ff848f295b0-7ff848f295c3 886->889 887->885 888->889 889->889 891 7ff848f295c5-7ff848f295cd 889->891 891->887 896 7ff848f296dc 895->896 897 7ff848f296e2-7ff848f29744 call 7ff848f29760 895->897 896->897 904 7ff848f2974b-7ff848f2975f 897->904 905 7ff848f29746 897->905 905->904
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 80821bc16d2b9a64992fe904084a464f828d2eb64a6a8267cf831e4c59719bca
                                    • Instruction ID: 3a104433b23f3a0d06496a7c733ca75999ceccca3361ddd19d7fbc7027189c73
                                    • Opcode Fuzzy Hash: 80821bc16d2b9a64992fe904084a464f828d2eb64a6a8267cf831e4c59719bca
                                    • Instruction Fuzzy Hash: 48E1B430A0CA4D8FEBA9EF28D856BE937D1FF54350F04426ED84DC7695DB7998408B81
                                    Function 00007FF848F2205D Relevance: .2, Instructions: 196COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 253b15cd60ba871b6ecb790b6f1c3d55bc00bacea3b7a47b06a25c1946962590
                                    • Instruction ID: 61c14ec3bb4097192d0807ca5dcdde93b6b27f678dc60054c3f8ad94f22b80c0
                                    • Opcode Fuzzy Hash: 253b15cd60ba871b6ecb790b6f1c3d55bc00bacea3b7a47b06a25c1946962590
                                    • Instruction Fuzzy Hash: 59511120A1E6C95FD396A7785824276BFE1EF97265F0804FBE08DC71D7DE185806C346
                                    Function 00007FF848F23018 Relevance: 1.7, APIs: 1, Instructions: 249COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 365 7ff848f23018-7ff848f23032 368 7ff848f23037-7ff848f2304a 365->368 370 7ff848f2304c-7ff848f23069 368->370 371 7ff848f23077-7ff848f23079 368->371 374 7ff848f2306f-7ff848f23073 370->374 371->368 375 7ff848f2307b 371->375 374->371 376 7ff848f2307f-7ff848f23095 375->376 376->374 377 7ff848f23097-7ff848f230a5 376->377 377->376 379 7ff848f230a7-7ff848f2319a 377->379 394 7ff848f231a2-7ff848f23200 RtlSetProcessIsCritical 379->394 395 7ff848f23208-7ff848f2323d 394->395 396 7ff848f23202 394->396 396->395
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f83fa6e0acdd20462acc34776a1b2dd96d77066f7432306fa8d2ced24d24b934
                                    • Instruction ID: 4035807f47b44f32fd029e7ad7738a50dd3103804f26092b916ed83b20f924d1
                                    • Opcode Fuzzy Hash: f83fa6e0acdd20462acc34776a1b2dd96d77066f7432306fa8d2ced24d24b934
                                    • Instruction Fuzzy Hash: 46713872D0D6C58FE319DBAC68191F97BE0FF12764F0840BFD089871E3DA2968468766
                                    Function 00007FF848F2307D Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 516 7ff848f2307d-7ff848f23095 518 7ff848f2306f-7ff848f23073 516->518 519 7ff848f23097-7ff848f230a5 516->519 520 7ff848f23077-7ff848f23079 518->520 522 7ff848f2307f-7ff848f23095 519->522 523 7ff848f230a7-7ff848f23200 RtlSetProcessIsCritical 519->523 527 7ff848f2307b 520->527 528 7ff848f23037-7ff848f2304a 520->528 522->518 522->519 545 7ff848f23208-7ff848f2323d 523->545 546 7ff848f23202 523->546 527->522 528->520 531 7ff848f2304c-7ff848f23069 528->531 531->518 546->545
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID: CriticalProcess
                                    • String ID:
                                    • API String ID: 2695349919-0
                                    • Opcode ID: 923ba84b10466cbec5d4a3947605f5bb05ba69a204248969386c6fe3cb9605c2
                                    • Instruction ID: 440efe3cfc935881fbac7544619f0445d0d871892ebcd116aa574eb00385d08a
                                    • Opcode Fuzzy Hash: 923ba84b10466cbec5d4a3947605f5bb05ba69a204248969386c6fe3cb9605c2
                                    • Instruction Fuzzy Hash: 2C517972D0DA848FE718DBACA8091B97BE0FF56760F08007FD089871D3DB2568468796
                                    Function 00007FF848F23648 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 548 7ff848f23648-7ff848f2364f 549 7ff848f2365a-7ff848f236cd 548->549 550 7ff848f23651-7ff848f23659 548->550 554 7ff848f23759-7ff848f2375d 549->554 555 7ff848f236d3-7ff848f236d8 549->555 550->549 556 7ff848f236e2-7ff848f2371f SetWindowsHookExW 554->556 557 7ff848f236df-7ff848f236e0 555->557 558 7ff848f23721 556->558 559 7ff848f23727-7ff848f23758 556->559 557->556 558->559
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID: HookWindows
                                    • String ID:
                                    • API String ID: 2559412058-0
                                    • Opcode ID: fd0257bacfeb63d29781adb3cfba9246d0b294b65c290413afacf921a1aaffb2
                                    • Instruction ID: 07a907bd0c3d9a2ec5f2423eec72d3ea43566474a09b30d831a51dfa8840dee4
                                    • Opcode Fuzzy Hash: fd0257bacfeb63d29781adb3cfba9246d0b294b65c290413afacf921a1aaffb2
                                    • Instruction Fuzzy Hash: 1C41157091CA4C8FDB58EB6CD8066F9BBE1EB59361F00023ED009C3292CF65A8468BC5

                                    Non-executed Functions

                                    Function 00007FF848F20EFA Relevance: .3, Instructions: 274COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.3344239816.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ff848f20000_I8YtUAUWeS.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 71a6f5fe72fb3c1767bcf7719cd07ef647e88772ecba59be634ff8d12b72a6bc
                                    • Instruction ID: 29dc6ab4560adc9b60fc295b090fb05480a8c10fd7ad91ba36f082528b2cd8a2
                                    • Opcode Fuzzy Hash: 71a6f5fe72fb3c1767bcf7719cd07ef647e88772ecba59be634ff8d12b72a6bc
                                    • Instruction Fuzzy Hash: 3B71F737A1E5629AD352B7FCB8511EB7B60FF413B9B084277D1888E093DE1C604682AD

                                    Executed Functions

                                    Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131807138.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (A$I$(A$I$(A$I$(A$I$(A$I
                                    • API String ID: 0-1992720992
                                    • Opcode ID: 126b2e8088d03b9652ce4969d75534650a9c9e212fdbb1e05ffd1903bee3527c
                                    • Instruction ID: a0faf565250b6d33bdd07d026a516ba089301c167f51c7f8df5c96026ab7ff64
                                    • Opcode Fuzzy Hash: 126b2e8088d03b9652ce4969d75534650a9c9e212fdbb1e05ffd1903bee3527c
                                    • Instruction Fuzzy Hash: 97D1FE31D0EA8A5FE799AB2858155B5BBE0EF1A294F1801FBD14DCB0D3EE1CA805C365
                                    Function 00007FF848F29758 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131149603.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b67a1ba5841538b7cc2d0d0b467108515267b1247056589b7b97b216b4774e4a
                                    • Instruction ID: 32230a0765edc9e0b9d2aa85a33bad5cb765c76c84b20bd8095c51c4e4d6cab1
                                    • Opcode Fuzzy Hash: b67a1ba5841538b7cc2d0d0b467108515267b1247056589b7b97b216b4774e4a
                                    • Instruction Fuzzy Hash: 8731293191CB488FDB1C9F5CA8066F97BE0FB99711F10412FE44983692CB30A8468BC6
                                    Function 00007FF848E0E540 Relevance: .1, Instructions: 125COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2130306945.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848e0d000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1b4ea66d470dcb105ff3b28077f1667a20965f08675b7b3af9e3e9f3a623a70c
                                    • Instruction ID: b7396efacc3d3fde0f94d0405d3d2b4eeb5e1ca8c0b5776724e078ff10db79c6
                                    • Opcode Fuzzy Hash: 1b4ea66d470dcb105ff3b28077f1667a20965f08675b7b3af9e3e9f3a623a70c
                                    • Instruction Fuzzy Hash: 0241F67180DBC44FE7569B28A8459523FF0FF57220F1509EFD088CB1A3E725A84AC792
                                    Function 00007FF848F2A62C Relevance: .1, Instructions: 97COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131149603.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11423ff9b3afa99d971a16ea89eb7cf27fc2d11a1069d6b4e6799f0256878e23
                                    • Instruction ID: 786805e341dc6e9ba79e62d9bbd3b18f0bcbb70cb755232f1f4d853ac72f5616
                                    • Opcode Fuzzy Hash: 11423ff9b3afa99d971a16ea89eb7cf27fc2d11a1069d6b4e6799f0256878e23
                                    • Instruction Fuzzy Hash: EB21277080CB888FE709DBA89849AF97FF4EB53321F04415ED445D71A3DA795846CB61
                                    Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131149603.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                    • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                    • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                    • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                                    Function 00007FF848FF4148 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131807138.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 589abdf304b20fd917c63a161d6319b44ca400ef90db8dcfbafb8012983e35bd
                                    • Instruction ID: 904fc0d044388c0b402276f49f7e03b073ade4e360b8f343e338c25cdb441d40
                                    • Opcode Fuzzy Hash: 589abdf304b20fd917c63a161d6319b44ca400ef90db8dcfbafb8012983e35bd
                                    • Instruction Fuzzy Hash: 8FF09A32A0C5458FD75AEB1CE4048A8B7E0FF65360F1500BBE16DC71A3DB2AEC518759
                                    Function 00007FF848FF43FB Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131807138.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f88c5043d1519de781d827c31188a6860e99799a9a020b0c5a50f99e6ab16d77
                                    • Instruction ID: 97fca55499bd2ec2c4cac2d17afbfca632b0b62ed0d9627483834241d20c6600
                                    • Opcode Fuzzy Hash: f88c5043d1519de781d827c31188a6860e99799a9a020b0c5a50f99e6ab16d77
                                    • Instruction Fuzzy Hash: 71F09A31A0C5458FDB54EB1CA4448A8B7E0FF15360F0500B6E159D71A3DB2AAC608764
                                    Function 00007FF848FF41D1 Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131807138.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                    • Instruction ID: d769517fa595beb740091979c284fb2f197ba556f1da16d26ccdbdaf57273a59
                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                    • Instruction Fuzzy Hash: 76E0123170C4048FD669EB0CE0409A973E1FBA8361B1101B7E24EC7561C721EC518B84
                                    Function 00007FF848F2A2A9 Relevance: .0, Instructions: 26COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131149603.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6e7f7d05193008ac408eccf1bf50610bd3be5d130e5e468a38794640811c7c7f
                                    • Instruction ID: 2f48624924bfcdeca6179b7064551dbb951a0beb8f1e7742573264379dca6d9c
                                    • Opcode Fuzzy Hash: 6e7f7d05193008ac408eccf1bf50610bd3be5d130e5e468a38794640811c7c7f
                                    • Instruction Fuzzy Hash: 41E0483580894C8FDB54EF18D4594E57BE0FF64311F05029BE81DC7161D7719954CBC1

                                    Non-executed Functions

                                    Function 00007FF848F28BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.2131149603.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: M_^4$M_^7$M_^F$M_^J
                                    • API String ID: 0-622050427
                                    • Opcode ID: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                    • Instruction ID: 4b251d57f47bb37acb7270bcb3fcd5e7a9f7ff78876cdeb73e676b5544b6a454
                                    • Opcode Fuzzy Hash: 72fae20d2bac252b730584b67fdb1a6b21fbfe3d418bd6e58b9d6ffda6c8f105
                                    • Instruction Fuzzy Hash: 6C213B7761A465DED3427B7DB8045DA3750DF942B8B8503B2E098CF083FE1C70868AD4

                                    Executed Functions

                                    Function 00007FF848FF6605 Relevance: 6.7, Strings: 5, Instructions: 429COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2277116042.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (B#I$(B#I$(B#I$(B#I$(B#I
                                    • API String ID: 0-1620291718
                                    • Opcode ID: b39e6e6c598709eaeda9895f1c7775186b487c4de5888644e5bfd2490e97962e
                                    • Instruction ID: bc3e92659626744fc3984e0b80b4e39e9f16b646288dbb993d3204f84049201b
                                    • Opcode Fuzzy Hash: b39e6e6c598709eaeda9895f1c7775186b487c4de5888644e5bfd2490e97962e
                                    • Instruction Fuzzy Hash: 6DD11F31D0EA8A5FE7A9AB6858155B5BBA0EF1A390F1801FFD50DCB0D3EE18A805C355
                                    Function 00007FF848F2A848 Relevance: .2, Instructions: 186COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2276460611.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f7dea8ed4839878c7f7cfb0fccf4c3568d2314e3db96cd7ffe40c83339113413
                                    • Instruction ID: cf4038293554b37e0b789bae775370d14e14b5a25a4d0e3ce4c6029c5da97bcb
                                    • Opcode Fuzzy Hash: f7dea8ed4839878c7f7cfb0fccf4c3568d2314e3db96cd7ffe40c83339113413
                                    • Instruction Fuzzy Hash: 0751683190DBC58FE309EB28D8959A07BE0FF56354B1801BED489C71D3EA26A843C715
                                    Function 00007FF848E0EC60 Relevance: .1, Instructions: 127COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2275884188.00007FF848E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E0D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848e0d000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fa9177302d03db1733b78dc27105163ddc07595aaaaf409e87ecf89330ac1861
                                    • Instruction ID: b06a4ed90a7969b7094c6d120ff6f1eadc7d6213fcbae857510a7effc46f859a
                                    • Opcode Fuzzy Hash: fa9177302d03db1733b78dc27105163ddc07595aaaaf409e87ecf89330ac1861
                                    • Instruction Fuzzy Hash: 1341163080DBC55FE7569B3998419523FF0FF57224F1906EFD088CB1A3D629A846C792
                                    Function 00007FF848F2A75C Relevance: .1, Instructions: 114COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2276460611.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ea0a338ad5f13daa1407513b55ec39046a688ebf3360788530115bbd3a070e76
                                    • Instruction ID: 725015cd746d185628ddbb90bbb801990569575f6de1266020ae7d1e59b5182c
                                    • Opcode Fuzzy Hash: ea0a338ad5f13daa1407513b55ec39046a688ebf3360788530115bbd3a070e76
                                    • Instruction Fuzzy Hash: 9F21787080D7888FD709CBA898496F97FE4EF52321F0841AFD048DB1A3CA685846CB65
                                    Function 00007FF848F297C9 Relevance: .1, Instructions: 113COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2276460611.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8078a8fa663e1a4964d9906ffaceb76a4ebced43baa4b2e6a580abd623bb96e9
                                    • Instruction ID: 9cc22d38a37232a4a834517eb71c392bde313bc30b8e51cb72fb0551a5bfdbc4
                                    • Opcode Fuzzy Hash: 8078a8fa663e1a4964d9906ffaceb76a4ebced43baa4b2e6a580abd623bb96e9
                                    • Instruction Fuzzy Hash: 07318131A1CA4C9FDB1CEB5CA846AA97BE0FB98711F00422FE44993651CB71A8558BC2
                                    Function 00007FF848F2A0FB Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2276460611.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3be15d6eb420d97a8cba97207f42c69797b1e64758aadb8e690d93b223d23ab7
                                    • Instruction ID: 31d0522d9ac3078036fd38d9229d2ba6f3999473e2d9ca67a328b580dcf32762
                                    • Opcode Fuzzy Hash: 3be15d6eb420d97a8cba97207f42c69797b1e64758aadb8e690d93b223d23ab7
                                    • Instruction Fuzzy Hash: DE01887694DAC94FD742EF3868550D47F90EF55124B1401EFD448C7192EA175849CB41
                                    Function 00007FF848F233B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2276460611.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                    • Instruction ID: b81149d342438cc37704c2a90a5bc61e4b8c38b5d9d18ebcc6d248958a2491c8
                                    • Opcode Fuzzy Hash: 4245d3e889aec3e041d9d8f734bc47effec83d37e61caed90803d2df4b046ffc
                                    • Instruction Fuzzy Hash: 6A01677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB36E892CB46
                                    Function 00007FF848FF4148 Relevance: .0, Instructions: 38COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2277116042.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e02472e7a038c57c7c6a5e50eec2756ce634371d5905497385fcb1b0295f4945
                                    • Instruction ID: 904fc0d044388c0b402276f49f7e03b073ade4e360b8f343e338c25cdb441d40
                                    • Opcode Fuzzy Hash: e02472e7a038c57c7c6a5e50eec2756ce634371d5905497385fcb1b0295f4945
                                    • Instruction Fuzzy Hash: 8FF09A32A0C5458FD75AEB1CE4048A8B7E0FF65360F1500BBE16DC71A3DB2AEC518759
                                    Function 00007FF848FF43FB Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2277116042.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 66b3d0d57bbe31b2576ba38ef7797134f67eb384744f51db90f3e92ebaf5f94b
                                    • Instruction ID: 97fca55499bd2ec2c4cac2d17afbfca632b0b62ed0d9627483834241d20c6600
                                    • Opcode Fuzzy Hash: 66b3d0d57bbe31b2576ba38ef7797134f67eb384744f51db90f3e92ebaf5f94b
                                    • Instruction Fuzzy Hash: 71F09A31A0C5458FDB54EB1CA4448A8B7E0FF15360F0500B6E159D71A3DB2AAC608764
                                    Function 00007FF848FF41D1 Relevance: .0, Instructions: 29COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2277116042.00007FF848FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FF0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848ff0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                    • Instruction ID: d769517fa595beb740091979c284fb2f197ba556f1da16d26ccdbdaf57273a59
                                    • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                    • Instruction Fuzzy Hash: 76E0123170C4048FD669EB0CE0409A973E1FBA8361B1101B7E24EC7561C721EC518B84

                                    Non-executed Functions

                                    Function 00007FF848F28BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2276460611.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                    • API String ID: 0-962139525
                                    • Opcode ID: 64d54649c1b082f21b48bcec0ea01dd949fe03042b20aeedb8b22134a012397b
                                    • Instruction ID: 7fd3566e5afb083c6e6401c0847751e720ad71e5f9896b647dd2248b4652e339
                                    • Opcode Fuzzy Hash: 64d54649c1b082f21b48bcec0ea01dd949fe03042b20aeedb8b22134a012397b
                                    • Instruction Fuzzy Hash: FD21D473A29525DAD242366CB8419DD7790EF543B978603F3E028CF193EE1CA48B8A95
                                    Function 00007FF848F285FA Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000005.00000002.2276460611.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_5_2_7ff848f20000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: M_^$M_^$M_^$M_^
                                    • API String ID: 0-2235110077
                                    • Opcode ID: a061516bf40f06370b623628f1138b791b3da54a100af22549e288b17732009e
                                    • Instruction ID: 10a2f095c80bb8cdbfaa667706654a19819d4f5fd3d35806c93f175f6a0449fc
                                    • Opcode Fuzzy Hash: a061516bf40f06370b623628f1138b791b3da54a100af22549e288b17732009e
                                    • Instruction Fuzzy Hash: 1A51D572C1E6C24FE356A73938591A57FA0EF22254F9E05FAC0988B0D3FD1B5C4A9316

                                    Executed Functions

                                    Function 00007FF84900660A Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2430340324.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (B%I$(B%I$(B%I$(B%I$(B%I
                                    • API String ID: 0-1877043794
                                    • Opcode ID: a4b5d3e19547a7db75909644dce4ca8f81c18c4c4f8a0018a7448baca5b480dd
                                    • Instruction ID: 6c834e2951415cbc2e37386320163a0f6ba716741f2e5811d16300da5cdb0296
                                    • Opcode Fuzzy Hash: a4b5d3e19547a7db75909644dce4ca8f81c18c4c4f8a0018a7448baca5b480dd
                                    • Instruction Fuzzy Hash: 5BD13632D0EACA5FEB65AF6868155B5BBE1EF16394F0802FAD04DD7093EA18E805C351
                                    Function 00007FF848F39EF3 Relevance: .3, Instructions: 251COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2429432695.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 68f0537309c7d94592c58b286dc0155a4810b295acdc3b614bf07fff569c3bcc
                                    • Instruction ID: 37d8d1c6c06b83b70a8cd00ffef6046f20e5baa0295e96f81fee30e339e391db
                                    • Opcode Fuzzy Hash: 68f0537309c7d94592c58b286dc0155a4810b295acdc3b614bf07fff569c3bcc
                                    • Instruction Fuzzy Hash: CA81F977D0D9D54FE342B73DA8A60E97B50EF532ADF0801BBC4884F093EE1A185A8759
                                    Function 00007FF848F39768 Relevance: .1, Instructions: 126COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2429432695.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 827b66d6e9f60007efd7a276bcad3b645d487ee191cac61a92237e178c4ff22f
                                    • Instruction ID: 7dea7ea26a25601712a120f9ded8f3aec56d5da45cafe960438ad89f3bb8ca0e
                                    • Opcode Fuzzy Hash: 827b66d6e9f60007efd7a276bcad3b645d487ee191cac61a92237e178c4ff22f
                                    • Instruction Fuzzy Hash: 2531F43191CF488FDB589B5CA80A6B97BE0FB99710F00422FE449D3691CB30A856CBC6
                                    Function 00007FF848E1EAA8 Relevance: .1, Instructions: 121COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2428460990.00007FF848E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E1D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff848e1d000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9bc053ef8bb18118eaa4fcde33ce12b7bb0fd45fea36ec959f78a3365a32d367
                                    • Instruction ID: 2f63352405bbaac9bd76744e651f221271e8b1dfdbbadabd8d7abf961260629d
                                    • Opcode Fuzzy Hash: 9bc053ef8bb18118eaa4fcde33ce12b7bb0fd45fea36ec959f78a3365a32d367
                                    • Instruction Fuzzy Hash: 2B41047180DBC44FD7569B28A8519523FF0FF52360B1502DFE088CB1A3DA24A846C7A2
                                    Function 00007FF848F3A47C Relevance: .1, Instructions: 98COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2429432695.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 308ca93d1d77b5d31eab52ffab3e1bc9047e5bcbf1ffcc7c39ffc682cb213269
                                    • Instruction ID: e4169fc56cd47a87023b52b45884f2bad8204a2e6fedac750ef26c40a78373fe
                                    • Opcode Fuzzy Hash: 308ca93d1d77b5d31eab52ffab3e1bc9047e5bcbf1ffcc7c39ffc682cb213269
                                    • Instruction Fuzzy Hash: 9F21497080D7884FE709DB689C4AAF97FA4DF53320F08429FD485CB0A3D6695446C761
                                    Function 00007FF849004148 Relevance: .1, Instructions: 91COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2430340324.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b713b9e87a1f47ef8379aa3bcb049efec3aef57387a943c0040fd55942ac6c56
                                    • Instruction ID: f37afb45e34491463977793a7cc271397e28f27c978e68d2dbf30d095293a58a
                                    • Opcode Fuzzy Hash: b713b9e87a1f47ef8379aa3bcb049efec3aef57387a943c0040fd55942ac6c56
                                    • Instruction Fuzzy Hash: A221C532B0CA488FEB69EA1CB4015F9B7E1EF59371B1401BBD14AC3193EA25EC45C795
                                    Function 00007FF8490043FB Relevance: .1, Instructions: 87COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2430340324.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff849000000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3fb0f474f719b786a9c1c08abfd0cec6f186c4f36a1528e05fe26e28eaaa1922
                                    • Instruction ID: 93ef7f41f970560675de0671002e32dd8d94fc7fb79b2b946e2af78438737c8a
                                    • Opcode Fuzzy Hash: 3fb0f474f719b786a9c1c08abfd0cec6f186c4f36a1528e05fe26e28eaaa1922
                                    • Instruction Fuzzy Hash: 7D21D432B0C9488FEB64EA1CB4419F8B7E0EF45761B1400BBD14AC3193EA25EC55C795
                                    Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2429432695.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                    • Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
                                    • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                                    • Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45

                                    Non-executed Functions

                                    Function 00007FF848F38BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.2429432695.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: L_^4$L_^7$L_^F$L_^J
                                    • API String ID: 0-3225005683
                                    • Opcode ID: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                    • Instruction ID: 0907d21456b919f780f717bd5e1c1cb1acc8cc2b6eeb632774ad829765d359f1
                                    • Opcode Fuzzy Hash: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                    • Instruction Fuzzy Hash: A52126B761A025AED3417BBDB8045EE3750DF942B8B4552B3D2988F043EB1C70868AE4

                                    Executed Functions

                                    Function 00007FF849016605 Relevance: 7.9, Strings: 6, Instructions: 426COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2626003330.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff849010000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (B%I$(B%I$(B%I$(B%I$(B%I$X7Y
                                    • API String ID: 0-1028923523
                                    • Opcode ID: 424d044bba78673e5e0f6005ececf92f7c7bf4761164621df3b3bda23adf9a81
                                    • Instruction ID: 909a80dd40556d091ee303b050cef0f1d775d67feba4a1a914e1c191f3a86174
                                    • Opcode Fuzzy Hash: 424d044bba78673e5e0f6005ececf92f7c7bf4761164621df3b3bda23adf9a81
                                    • Instruction Fuzzy Hash: A0C12232D0EACA9FEBA5EF6858165B5BBE0EF16354B0801BBD00DC7093EA19EC45C351
                                    Function 00007FF849014073 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2626003330.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff849010000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8>%I
                                    • API String ID: 0-3722309147
                                    • Opcode ID: 9ad0a6d2464306c8e728f9b91cb653cfecf3f46e3cfc7d01dbd246ee0c51da8e
                                    • Instruction ID: 40b53b7bade2d0dcdfa576026bc3506756a35b2081fa09367521942ce255397d
                                    • Opcode Fuzzy Hash: 9ad0a6d2464306c8e728f9b91cb653cfecf3f46e3cfc7d01dbd246ee0c51da8e
                                    • Instruction Fuzzy Hash: E6512932E0DA868FEBA9EF2C541267577E1EF55760F5801BAC04EC71A3EE29EC058341
                                    Function 00007FF8490140BF Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2626003330.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff849010000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 8>%I
                                    • API String ID: 0-3722309147
                                    • Opcode ID: 2f02193561d26c1edfaba9c7b2c0cda19f661cda900d74f12ef7bad4ca312e36
                                    • Instruction ID: 2ce7ae7ea7db387de9bd1ef364ffe9fcf620dfa2d29d934d4cf2ecd36b153296
                                    • Opcode Fuzzy Hash: 2f02193561d26c1edfaba9c7b2c0cda19f661cda900d74f12ef7bad4ca312e36
                                    • Instruction Fuzzy Hash: 7021C132E1D9C78FEBB9EE1C546217476D5EF642A0B5905BAC05DC71B2EE29EC048341
                                    Function 00007FF849016806 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2626003330.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff849010000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: (B%I
                                    • API String ID: 0-3492751536
                                    • Opcode ID: 00c9f8947c09c0a9ade5f18aa023844cc839991923508e07bca2dafa686c5008
                                    • Instruction ID: b0acfdd95f66eb0e3da4d14561e19023cb604ca82324e2ac6103a71cb0c66cc9
                                    • Opcode Fuzzy Hash: 00c9f8947c09c0a9ade5f18aa023844cc839991923508e07bca2dafa686c5008
                                    • Instruction Fuzzy Hash: 1311D332E0D68A8FEB64EE589441278B3E1EF15354F1401BBC04DD7182EE19DC458351
                                    Function 00007FF848E2EE20 Relevance: .1, Instructions: 128COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2623668492.00007FF848E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E2D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff848e2d000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 436ab0c48dfd86197f22df3ab6a9593b1b1ee165a4095cf44bc4f208f84964fa
                                    • Instruction ID: ff2db8016c5a3f5a76beee76b791a7b23a58e96958ef00134b08d05d3248de2b
                                    • Opcode Fuzzy Hash: 436ab0c48dfd86197f22df3ab6a9593b1b1ee165a4095cf44bc4f208f84964fa
                                    • Instruction Fuzzy Hash: 2641027180DBC45FE7569B3998519623FF0FF53360B1506EFD088CB1A3D625A84AC7A2
                                    Function 00007FF848F4A49C Relevance: .1, Instructions: 99COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2624966643.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4285bc1ef219211ffb9f32f40b6c637b8b3f2a518447925ce250ee4e21aa320
                                    • Instruction ID: c86ab2a41e4007e3a054283855c42a13dc361d5a1fe8263e7560cbbb05da431e
                                    • Opcode Fuzzy Hash: a4285bc1ef219211ffb9f32f40b6c637b8b3f2a518447925ce250ee4e21aa320
                                    • Instruction Fuzzy Hash: D321FB3190C74C4FDB59DB6C984A7E97FF0EBA6321F04416BD048C31A2D674A45ACB91
                                    Function 00007FF848F433B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2624966643.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                    • Instruction ID: 8501ce2366aa47fe50c32cae5305b62a305da60d827aaf0f190e9b8a75457062
                                    • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                    • Instruction Fuzzy Hash: 8B01447111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB26E882CB45
                                    Function 00007FF848F4A0FB Relevance: .0, Instructions: 39COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2624966643.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3f3eafa8a1cae1e36758817903dbd3960c9e1897bdc2159644ceb9f5388c5d25
                                    • Instruction ID: e22e6633b1d7ee07bdc1823b4496fbf7f43c7fac17751f88daf7fea63708cbd3
                                    • Opcode Fuzzy Hash: 3f3eafa8a1cae1e36758817903dbd3960c9e1897bdc2159644ceb9f5388c5d25
                                    • Instruction Fuzzy Hash: 52F0967650DACC4FDB42EF2C98690E9BFA0FFB5214B0402EBD549C71A1D7615958CB81
                                    Function 00007FF8490143FA Relevance: .0, Instructions: 37COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2626003330.00007FF849010000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849010000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff849010000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d67592d3a3cb917c0812a7c214ca8567ffca6454feaf7d268cd1ad0713422e94
                                    • Instruction ID: e8d85e2f6a35ee1f82381f5fea049a3e94fe684d287c30dc4cb9ee5c8ec73c29
                                    • Opcode Fuzzy Hash: d67592d3a3cb917c0812a7c214ca8567ffca6454feaf7d268cd1ad0713422e94
                                    • Instruction Fuzzy Hash: 24F09A31A0C5858FEB64EF1CA4468A8B7E0FF05360B0500B6E159C71A3EB2AEC50C765

                                    Non-executed Functions

                                    Function 00007FF848F48BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000A.00000002.2624966643.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                    • API String ID: 0-2350917820
                                    • Opcode ID: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                    • Instruction ID: 9986dd489854e94b407d4e843bcd3186f07b3c56dbcf33a55f797e48646eb4ac
                                    • Opcode Fuzzy Hash: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                    • Instruction Fuzzy Hash: 65212673A29515AACA02377CB8415D977A0EF543BC74503F3E018DF013DE1CA4CB8694

                                    Executed Functions

                                    Function 00007FF848F31689 Relevance: .8, Instructions: 808COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2118c948ccc001ed8684c6e18abd188e50e5393f34aeb5973f66fd0e3ea32cf9
                                    • Instruction ID: 2c144a0ab56ecdf3d29e5df569516bf680d12eed321be6237a95e9062598d044
                                    • Opcode Fuzzy Hash: 2118c948ccc001ed8684c6e18abd188e50e5393f34aeb5973f66fd0e3ea32cf9
                                    • Instruction Fuzzy Hash: B442E430A2DA499FE798FB388455279B7E2FF98781F44057AE04EC32C6DF2CA8418755
                                    Function 00007FF848F316C9 Relevance: .7, Instructions: 662COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 27184eddc13fc7c2a27d87eef633aabaa378239235d07a0e5c3691cbd4fb5c95
                                    • Instruction ID: 923276cb71873f4c2b9c87e9eb7850da726813e7bb48527c8f6bc0b030e779af
                                    • Opcode Fuzzy Hash: 27184eddc13fc7c2a27d87eef633aabaa378239235d07a0e5c3691cbd4fb5c95
                                    • Instruction Fuzzy Hash: 0122E130A2DA499FE798F73884593B976E2FF88781F44057AE04EC32C6DF2CA8418755
                                    Function 00007FF848F3205D Relevance: .2, Instructions: 193COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2119c6b79e557e3ae60470835b5ab9ca3c406be399709d61b93aa815ed3b2af8
                                    • Instruction ID: e4322c623b0797d710bdb35e3b5e73de0ef463333d17af35b4c1155fc19696cb
                                    • Opcode Fuzzy Hash: 2119c6b79e557e3ae60470835b5ab9ca3c406be399709d61b93aa815ed3b2af8
                                    • Instruction Fuzzy Hash: 33513220A1E6C95FD796A7785824276BFE1EF87256F0800FBE08DC71D7DE18580AC306
                                    Function 00007FF848F31195 Relevance: .6, Instructions: 580COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b6c1d7722e0ee2f0fb696ddc34d8051d8ecb8ffd777004ffe00e560b245ce5d6
                                    • Instruction ID: b4a26e1677658b1914ee5ae34e75b2d4d0446ae996089fec04c12a9516ea9cb9
                                    • Opcode Fuzzy Hash: b6c1d7722e0ee2f0fb696ddc34d8051d8ecb8ffd777004ffe00e560b245ce5d6
                                    • Instruction Fuzzy Hash: E341B236E0E69A8FD742E76898A51EA7BB0FF42255F0801F7D085DB1D3DF2868468354
                                    Function 00007FF848F311F2 Relevance: .5, Instructions: 548COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 31485f7f0f9973c70368d4b1b4cc9e7fc3723d54d29eda2800cb6dc6a1092bb6
                                    • Instruction ID: 1ff60e952b8dbb20bc8629594b8f580edfd42009b9d6808d6fc5e263b5c82253
                                    • Opcode Fuzzy Hash: 31485f7f0f9973c70368d4b1b4cc9e7fc3723d54d29eda2800cb6dc6a1092bb6
                                    • Instruction Fuzzy Hash: FC21DD32E1DA9A9FE746B76898661FA7BB1FF44240F4401B7D049D72D3DF2828428394
                                    Function 00007FF848F30FE2 Relevance: .2, Instructions: 207COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7122e2bc09bd645bfd789a53524d7a0cab289bde33d1289b29b83e7faa2a9a1b
                                    • Instruction ID: 2f3aa1b924f059609c6f4368dc5e71eed8fbce0e8e116e724b549c2b9a6a8f7c
                                    • Opcode Fuzzy Hash: 7122e2bc09bd645bfd789a53524d7a0cab289bde33d1289b29b83e7faa2a9a1b
                                    • Instruction Fuzzy Hash: 30518437D1F566AAE251B7ACB4521EA7760FF013ADF084377E08C4E0939E1C248582AD
                                    Function 00007FF848F30C3E Relevance: .2, Instructions: 179COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ae1b63dde04b9ada6d8246c7fc1e1ac4582b6e2ceec4d06ad41df13b2648813a
                                    • Instruction ID: f6a6410a2c1c3664e81a0b0cd6fa30b7c11756a80e715e30a405201b7ff52802
                                    • Opcode Fuzzy Hash: ae1b63dde04b9ada6d8246c7fc1e1ac4582b6e2ceec4d06ad41df13b2648813a
                                    • Instruction Fuzzy Hash: E5510421A0EACA5FE396B73848562797FE1EF87650B0900FBD489C7297DD1C5C428362
                                    Function 00007FF848F30558 Relevance: .1, Instructions: 134COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1e95f36b2c289c06e8a56515dc1b569ec47d7470ea89df8b689119a4e4064f05
                                    • Instruction ID: 8f6af3408c34e400a1171132226b7ba357265624ecebe4f3ed9529b95af6c516
                                    • Opcode Fuzzy Hash: 1e95f36b2c289c06e8a56515dc1b569ec47d7470ea89df8b689119a4e4064f05
                                    • Instruction Fuzzy Hash: E731C031B1D9495FE798FB2C985A279B7C2EB98745F0405BEE00EC32D7DE28AC458345
                                    Function 00007FF848F30AD1 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d6fdc220c31f7893f5f806e2b71a0df146dd15a35269cebc03039213141df70
                                    • Instruction ID: 8e204ce3849d7e7830f2dbe0628ff910c4e109d345de3b0039a7c398fff6dc23
                                    • Opcode Fuzzy Hash: 1d6fdc220c31f7893f5f806e2b71a0df146dd15a35269cebc03039213141df70
                                    • Instruction Fuzzy Hash: AB31B121F1E94A9FE784B7BC58593B9B7E1EB98651F0402B7E40DC3292DE2C98018752
                                    Function 00007FF848F30985 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b8162fd6acd9a1911bca9d61b7813ffde1cdb277f91a94a7a6ab4f64d043db81
                                    • Instruction ID: e8b58334922c7a10ff51f7afa099601a4d47bc6c52ee804d10b9d7222e9269e0
                                    • Opcode Fuzzy Hash: b8162fd6acd9a1911bca9d61b7813ffde1cdb277f91a94a7a6ab4f64d043db81
                                    • Instruction Fuzzy Hash: EF316D30A1AA4E9FDB44FB68C4557AEB7F2FF98341F50057AD009D3286DE3CA8458B60
                                    Function 00007FF848F30888 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fe4a639cdb38971eaf4956a2151093dd5ae09476c2d64107a55b2e2ff8e60f03
                                    • Instruction ID: 7333f75ee4c04d03c2b320aab1a0d23faa504c578b505620e2662f98ae3bf29f
                                    • Opcode Fuzzy Hash: fe4a639cdb38971eaf4956a2151093dd5ae09476c2d64107a55b2e2ff8e60f03
                                    • Instruction Fuzzy Hash: 9C215334A1A58DAFD788FB5C80957AA7EB2FB88247F904564D54DD338ACF7C6A00C760
                                    Function 00007FF848F32211 Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 78d1b2a6cca3c806db9821e8725fc24187e2f3cd6e6ccb83d576cdb6805b55eb
                                    • Instruction ID: 47849395c2f41a229f22c1613ac89654349813aa39e5f56579b34280664ba013
                                    • Opcode Fuzzy Hash: 78d1b2a6cca3c806db9821e8725fc24187e2f3cd6e6ccb83d576cdb6805b55eb
                                    • Instruction Fuzzy Hash: F301F12090DA855FF796B7781C555313FE0DF91692F0804BBE888E21E7DE28A9458377
                                    Function 00007FF848F31190 Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3e0a3e4b9974773149d4cbe9fd1f86682705727248b8a3b62a9fb40f8aa10fc6
                                    • Instruction ID: 2b7416fbfd5539bc9f3c57919d51fecd34278d39c8ac449668678ec4c8488b93
                                    • Opcode Fuzzy Hash: 3e0a3e4b9974773149d4cbe9fd1f86682705727248b8a3b62a9fb40f8aa10fc6
                                    • Instruction Fuzzy Hash: 90D05B72D189194FD2A4DA5CA005175F7D0EB54291B19057BE40CD31A4D56519424285

                                    Non-executed Functions

                                    Function 00007FF848F306FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000010.00000002.2691329991.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_16_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: <M_^$=M_^$M_^j$M_^p
                                    • API String ID: 0-3547729567
                                    • Opcode ID: 2307588259c919147ca360063f1fa5330f94767876a0c1edaacbd6c320575941
                                    • Instruction ID: cb8b8c0c91175bc1425fa64e82bec9db30c5c1dcda6a5b1fa882db79f0583138
                                    • Opcode Fuzzy Hash: 2307588259c919147ca360063f1fa5330f94767876a0c1edaacbd6c320575941
                                    • Instruction Fuzzy Hash: 163125B7A5E556EDE14233AC64421E937D0EFA03A8F594777C4ACCE1C3DE1C204A45E9

                                    Executed Functions

                                    Function 00007FF848F31689 Relevance: .8, Instructions: 808COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e248197b380b75c64083f1c38c879b1888e1e88b6583c95159e0a10bd6d627e
                                    • Instruction ID: 21c37d8a23e95a8815543f494a4c01a286dfa3337a59d8942adbf8e6e1d1c654
                                    • Opcode Fuzzy Hash: 5e248197b380b75c64083f1c38c879b1888e1e88b6583c95159e0a10bd6d627e
                                    • Instruction Fuzzy Hash: 9642B330B2DA495FEB98FB3884596B977D2FF98780F44057AE00EC32D6DF28A8418755
                                    Function 00007FF848F316C9 Relevance: .7, Instructions: 662COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e665ace45e5f70dee5ef6bedd620575f3148c8dc4dd04de40a7b0adc89a98dbf
                                    • Instruction ID: 1bf13e77026b47fc4d73b5d6a40ad02e51d28a518d4bebeb516bf17a3b00662f
                                    • Opcode Fuzzy Hash: e665ace45e5f70dee5ef6bedd620575f3148c8dc4dd04de40a7b0adc89a98dbf
                                    • Instruction Fuzzy Hash: 4B22A030B2DA595FEB98F73884592B976E2FF98780F44057AE00EC32D6DF2CA8418755
                                    Function 00007FF848F3205D Relevance: .2, Instructions: 193COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8644789443c7234a8af9f3e883ee1a0b66b3b9872cbac41d25f094f38adb262f
                                    • Instruction ID: e0828a2dbfe1b9479a86abecd9751dd8aaba33db58aaa28da0f82b6641cd83db
                                    • Opcode Fuzzy Hash: 8644789443c7234a8af9f3e883ee1a0b66b3b9872cbac41d25f094f38adb262f
                                    • Instruction Fuzzy Hash: B9513220A1E6C95FD796AB785824276BFE1EF87256F0800FBE08DC71D7DE18580AC306
                                    Function 00007FF848F31195 Relevance: .6, Instructions: 580COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 248407441a4d8152d6d1398f831b72de2c8b5da4b68c80e7b126f8c226f09276
                                    • Instruction ID: 2b6d10f4c8ad5051287cdd3ad016d17c2db63718815f6dbcd4aa2e8083114bc8
                                    • Opcode Fuzzy Hash: 248407441a4d8152d6d1398f831b72de2c8b5da4b68c80e7b126f8c226f09276
                                    • Instruction Fuzzy Hash: 9B419336D0E69A8FD742E76898A51EA7FB0FF42254F0901B7D045DB1D3DE2C684A8354
                                    Function 00007FF848F311F2 Relevance: .5, Instructions: 548COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5ba7c36a819db7005ded03090801a121630d8ded0a8a97a287d92d8edae639e4
                                    • Instruction ID: b3c3b2ce680d3f96dea636c752e78a2202ce7b6e3d63556615b5e72193937cf8
                                    • Opcode Fuzzy Hash: 5ba7c36a819db7005ded03090801a121630d8ded0a8a97a287d92d8edae639e4
                                    • Instruction Fuzzy Hash: 0421D032D1D99A8FEB46B76898661FA7BB1FF44240F4401B7D009D72D3DF2C29468394
                                    Function 00007FF848F30FE2 Relevance: .2, Instructions: 207COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7122e2bc09bd645bfd789a53524d7a0cab289bde33d1289b29b83e7faa2a9a1b
                                    • Instruction ID: 2f3aa1b924f059609c6f4368dc5e71eed8fbce0e8e116e724b549c2b9a6a8f7c
                                    • Opcode Fuzzy Hash: 7122e2bc09bd645bfd789a53524d7a0cab289bde33d1289b29b83e7faa2a9a1b
                                    • Instruction Fuzzy Hash: 30518437D1F566AAE251B7ACB4521EA7760FF013ADF084377E08C4E0939E1C248582AD
                                    Function 00007FF848F30C3E Relevance: .2, Instructions: 179COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6b613f49706df33434ccb5725e9c997a091ea7fb268ed09520ab75725a2c544e
                                    • Instruction ID: e9042019703aba9630cbb65b4fa6c138fa454c37f6612cb0d766c17bc5ec5633
                                    • Opcode Fuzzy Hash: 6b613f49706df33434ccb5725e9c997a091ea7fb268ed09520ab75725a2c544e
                                    • Instruction Fuzzy Hash: 1C511531A0EACA5FE396A73848562793FE1EF87650B0900FBD489C72D7DD1C5C428352
                                    Function 00007FF848F30558 Relevance: .1, Instructions: 134COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4444cd1e61333f8e18a22859966ae95f8f262cc4efe6c8e0ef2a1774d34ef158
                                    • Instruction ID: 7f62563ab17d6d672864aed1b81f911a56246f1b37fe73efaca0cd6fda09b50d
                                    • Opcode Fuzzy Hash: 4444cd1e61333f8e18a22859966ae95f8f262cc4efe6c8e0ef2a1774d34ef158
                                    • Instruction Fuzzy Hash: 2031C031B1D9495FE798FB2C985A279B7C2EB98745F0405BEE00EC32D7DE28AC458345
                                    Function 00007FF848F30AD1 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d6fdc220c31f7893f5f806e2b71a0df146dd15a35269cebc03039213141df70
                                    • Instruction ID: 8e204ce3849d7e7830f2dbe0628ff910c4e109d345de3b0039a7c398fff6dc23
                                    • Opcode Fuzzy Hash: 1d6fdc220c31f7893f5f806e2b71a0df146dd15a35269cebc03039213141df70
                                    • Instruction Fuzzy Hash: AB31B121F1E94A9FE784B7BC58593B9B7E1EB98651F0402B7E40DC3292DE2C98018752
                                    Function 00007FF848F30985 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a22243c05741509036fcb752953c74285cdef88f7265205a98e94e74c0df4c3e
                                    • Instruction ID: 071d57f87a220bb552b75ab8e3e3853a71dd9fa3fbad3dc43714916eccb11208
                                    • Opcode Fuzzy Hash: a22243c05741509036fcb752953c74285cdef88f7265205a98e94e74c0df4c3e
                                    • Instruction Fuzzy Hash: 0E317F70A1A6099FDB44FB68D4556AE7BB1FF98340F500576D009D32C6DF3C68458760
                                    Function 00007FF848F30888 Relevance: .1, Instructions: 68COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e5ead53de5ffca37952890041e9aa86debc71d12d9ff0922e9911a4d4f8b9b34
                                    • Instruction ID: b6edafa8c6ea5e66e31a20ff21c423eec5ddcd5dc302665bb380434df292cf6a
                                    • Opcode Fuzzy Hash: e5ead53de5ffca37952890041e9aa86debc71d12d9ff0922e9911a4d4f8b9b34
                                    • Instruction Fuzzy Hash: 38219235A5A50D6FDB49EB6894956AA7FB2FBC8200F904564E509C33CACF3C6A048760
                                    Function 00007FF848F32211 Relevance: .1, Instructions: 52COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 564b415f2ca5cc3208a38a4fe9c92ca1a7212a594c893b710b22bc5d5e3e9ff1
                                    • Instruction ID: 7e496f1f2b3448fd06a45d792d23beafbcb438ac69e101f0bacdf85de95625c2
                                    • Opcode Fuzzy Hash: 564b415f2ca5cc3208a38a4fe9c92ca1a7212a594c893b710b22bc5d5e3e9ff1
                                    • Instruction Fuzzy Hash: 2E01F13090DA814FF796B7786C555313FE0DF91691F0804BBE888D21E7DE28A9458377
                                    Function 00007FF848F31190 Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3e0a3e4b9974773149d4cbe9fd1f86682705727248b8a3b62a9fb40f8aa10fc6
                                    • Instruction ID: 2b7416fbfd5539bc9f3c57919d51fecd34278d39c8ac449668678ec4c8488b93
                                    • Opcode Fuzzy Hash: 3e0a3e4b9974773149d4cbe9fd1f86682705727248b8a3b62a9fb40f8aa10fc6
                                    • Instruction Fuzzy Hash: 90D05B72D189194FD2A4DA5CA005175F7D0EB54291B19057BE40CD31A4D56519424285

                                    Non-executed Functions

                                    Function 00007FF848F306FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000011.00000002.2744500428.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_17_2_7ff848f30000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: <M_^$=M_^$M_^j$M_^p
                                    • API String ID: 0-3547729567
                                    • Opcode ID: 2307588259c919147ca360063f1fa5330f94767876a0c1edaacbd6c320575941
                                    • Instruction ID: cb8b8c0c91175bc1425fa64e82bec9db30c5c1dcda6a5b1fa882db79f0583138
                                    • Opcode Fuzzy Hash: 2307588259c919147ca360063f1fa5330f94767876a0c1edaacbd6c320575941
                                    • Instruction Fuzzy Hash: 163125B7A5E556EDE14233AC64421E937D0EFA03A8F594777C4ACCE1C3DE1C204A45E9

                                    Executed Functions

                                    Function 00007FF848F21689 Relevance: .8, Instructions: 808COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9642d50cd93a56d62df89f63a519e3680c83cd3e84481ab900715e3ca3d55db
                                    • Instruction ID: 03bce7ee2b4a66dd3986f1a599877db95b445093bb2bcc9f4a474ad6662f704a
                                    • Opcode Fuzzy Hash: b9642d50cd93a56d62df89f63a519e3680c83cd3e84481ab900715e3ca3d55db
                                    • Instruction Fuzzy Hash: 4142E330A2DA499FE798FB3894596BA77E2FF98380F440579D80DC32C2DF2DA8418745
                                    Function 00007FF848F216C9 Relevance: .7, Instructions: 662COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a46ffb9ec2015281d5e2c99315d71ec0df4e8b0b38d476a0aed10911df76e9da
                                    • Instruction ID: 0ad3abdf83641b1ea54db982114b6bdb673e252e46aebdf88caf33e7746ee3cd
                                    • Opcode Fuzzy Hash: a46ffb9ec2015281d5e2c99315d71ec0df4e8b0b38d476a0aed10911df76e9da
                                    • Instruction Fuzzy Hash: A222EF30E2DA499FE798F77894592B967E2FF98380F440579D80EC32C2DF2DA8418749
                                    Function 00007FF848F21195 Relevance: .6, Instructions: 580COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d10775e24371253044ce393d1615d7b493d62374383e4d8b777a66e445cc4341
                                    • Instruction ID: deb86c1a228101cf512e64a24590ed8cb723e1f06ced02fe2afb04f250a49e61
                                    • Opcode Fuzzy Hash: d10775e24371253044ce393d1615d7b493d62374383e4d8b777a66e445cc4341
                                    • Instruction Fuzzy Hash: 6D41B432D0D7AA5FD742E76CA8A51EA7FB0FF41254F4800B7C085CB1D3DE2968468358
                                    Function 00007FF848F211F2 Relevance: .5, Instructions: 548COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4c2e74761db70a9cb4fd55005f2532c81b2ccd35f04b294b20169e0e42cdefbb
                                    • Instruction ID: d4b95a7bf389750c8c090271c1f0e931d44737ea46cb2f92f7a3ada931bceccd
                                    • Opcode Fuzzy Hash: 4c2e74761db70a9cb4fd55005f2532c81b2ccd35f04b294b20169e0e42cdefbb
                                    • Instruction Fuzzy Hash: 4321A032D1DAAA5FE745E7A898661FA7BF1FF44280F4400B6D049C72D3DF2968428798
                                    Function 00007FF848F20FE2 Relevance: .2, Instructions: 222COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cae19e9b0c1e08fd760ee094855cf05ab64fecc549d8e7b46f12adca6154cdb1
                                    • Instruction ID: c8ef7b2c837e78f981d743f09d395d8d95ec0b93d4acaf111536f08b63719440
                                    • Opcode Fuzzy Hash: cae19e9b0c1e08fd760ee094855cf05ab64fecc549d8e7b46f12adca6154cdb1
                                    • Instruction Fuzzy Hash: C2519137A1E5629BE251B7ACB4511EA7B60FF413B9F084277D18C8E0939E1D248682AD
                                    Function 00007FF848F20C3E Relevance: .2, Instructions: 179COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: add165f679624aaa5ffec3f9df042110026388529929ed76f02b558f4894232f
                                    • Instruction ID: 070784dd5c74aaeb4c9cbc420ebb9539998314d843fbe3885a01499a79fa3213
                                    • Opcode Fuzzy Hash: add165f679624aaa5ffec3f9df042110026388529929ed76f02b558f4894232f
                                    • Instruction Fuzzy Hash: 0F512531A0EAC65FE396B73858562793FE2EF86650B0900FAD88DC7193DD1C5C428312
                                    Function 00007FF848F20AD1 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eac5f2398ada9829471745bf47304ce7f294ba979da757df53c62030daa31df4
                                    • Instruction ID: 405fffd99f590f0907e9ee8cbf0e80d37107e8ac347e0d26b3cee7ce7ec68225
                                    • Opcode Fuzzy Hash: eac5f2398ada9829471745bf47304ce7f294ba979da757df53c62030daa31df4
                                    • Instruction Fuzzy Hash: 1731E222F1D9599FE784B7AC68593B9B7E1FB98791F040276E40CC32C2DE2C58018751
                                    Function 00007FF848F20985 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 96ca2fb6a53269da7a7242696a75a16d312d3d6405d40d63cb037e5fd4f84ae5
                                    • Instruction ID: 8c1d0657f2a505513b8974fd3e8ff17c4528db735907711416462202c7fd3e85
                                    • Opcode Fuzzy Hash: 96ca2fb6a53269da7a7242696a75a16d312d3d6405d40d63cb037e5fd4f84ae5
                                    • Instruction Fuzzy Hash: 31318D30A1AA0A9FDB44FB68D4556AEB7F1FF98310F504179D809D3286DF3DA8418B50
                                    Function 00007FF848F20855 Relevance: .1, Instructions: 94COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 11a06d12570bbfa6737f7fed9adcb1d0cadb595d7eebdebd6ffd3b8b2ca7b619
                                    • Instruction ID: 42b6ecb2a179f0e5c11565ef575fed2c006904439977479f48199aad14050a8b
                                    • Opcode Fuzzy Hash: 11a06d12570bbfa6737f7fed9adcb1d0cadb595d7eebdebd6ffd3b8b2ca7b619
                                    • Instruction Fuzzy Hash: 1D31A231A0AB8D9FD385FB2884A46AA7FF1EF89254F8081A5DC48C7396CF2D59008765
                                    Function 00007FF848F21190 Relevance: .0, Instructions: 22COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7b4aafe0187a7f58f3ce31997780dfd8598054d8b64e41784c7c435842808dd6
                                    • Instruction ID: c4759d9883f635024ac0d0a2aa723001ad0ecd25a722a1a7930b5fb419c7de0f
                                    • Opcode Fuzzy Hash: 7b4aafe0187a7f58f3ce31997780dfd8598054d8b64e41784c7c435842808dd6
                                    • Instruction Fuzzy Hash: 19D05B72D1881D4FD2A49A5CB009275F7D0EB54291B19057BD40CE71A4D66518824289

                                    Non-executed Functions

                                    Function 00007FF848F206FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000015.00000002.3302359169.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_21_2_7ff848f20000_System User.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: <N_^$=N_^$N_^j$N_^p
                                    • API String ID: 0-2936155160
                                    • Opcode ID: f18ded1939bf96f2876503b88b45292fdb8880c4ceb384c7fa54694f2f62734e
                                    • Instruction ID: ca6bf00fad35d3560bce1bb882f6bd97e61fc8e6f4a3cf7d813fff74c343c88b
                                    • Opcode Fuzzy Hash: f18ded1939bf96f2876503b88b45292fdb8880c4ceb384c7fa54694f2f62734e
                                    • Instruction Fuzzy Hash: 6F310BB7A5E4165EE24233AC78511E92B91EF903B8F184576C69CCE1C3CF1C604A46AA