Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gPEbJi1xiY.exe

Overview

General Information

Sample name:gPEbJi1xiY.exe
renamed because original name is a hash value
Original sample name:e9bfdf319ad612048b093c525c542638.exe
Analysis ID:1538052
MD5:e9bfdf319ad612048b093c525c542638
SHA1:5502f0cc6f1379be1c71639ced806818cb5d40d7
SHA256:92c82638e25caeb1878495704223bea89d42c133f6604e276d821e902f2b0d51
Tags:32exetrojan
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gPEbJi1xiY.exe (PID: 7320 cmdline: "C:\Users\user\Desktop\gPEbJi1xiY.exe" MD5: E9BFDF319AD612048B093C525C542638)
    • powershell.exe (PID: 7404 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7652 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gPEbJi1xiY.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7896 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\kasper.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5500 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kasper.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 332 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 2316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • kasper.exe (PID: 7416 cmdline: C:\Users\user\AppData\Roaming\kasper.exe MD5: E9BFDF319AD612048B093C525C542638)
  • kasper.exe (PID: 7476 cmdline: C:\Users\user\AppData\Roaming\kasper.exe MD5: E9BFDF319AD612048B093C525C542638)
  • kasper.exe (PID: 7920 cmdline: C:\Users\user\AppData\Roaming\kasper.exe MD5: E9BFDF319AD612048B093C525C542638)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gPEbJi1xiY.exeJoeSecurity_XWormYara detected XWormJoe Security
    gPEbJi1xiY.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xfd0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xfda7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xfebc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xeef3:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\kasper.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\kasper.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xfd0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xfda7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xfebc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xeef3:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xfb0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xfba7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xfcbc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xecf3:$cnc4: POST / HTTP/1.1
        Process Memory Space: gPEbJi1xiY.exe PID: 7320JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.gPEbJi1xiY.exe.3c0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.gPEbJi1xiY.exe.3c0000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xfd0a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0xfda7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0xfebc:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xeef3:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gPEbJi1xiY.exe", ParentImage: C:\Users\user\Desktop\gPEbJi1xiY.exe, ParentProcessId: 7320, ParentProcessName: gPEbJi1xiY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', ProcessId: 7404, ProcessName: powershell.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gPEbJi1xiY.exe", ParentImage: C:\Users\user\Desktop\gPEbJi1xiY.exe, ParentProcessId: 7320, ParentProcessName: gPEbJi1xiY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', ProcessId: 7404, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gPEbJi1xiY.exe", ParentImage: C:\Users\user\Desktop\gPEbJi1xiY.exe, ParentProcessId: 7320, ParentProcessName: gPEbJi1xiY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', ProcessId: 7404, ProcessName: powershell.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\gPEbJi1xiY.exe", ParentImage: C:\Users\user\Desktop\gPEbJi1xiY.exe, ParentProcessId: 7320, ParentProcessName: gPEbJi1xiY.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe", ProcessId: 332, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\gPEbJi1xiY.exe", ParentImage: C:\Users\user\Desktop\gPEbJi1xiY.exe, ParentProcessId: 7320, ParentProcessName: gPEbJi1xiY.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe', ProcessId: 7404, ProcessName: powershell.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-20T06:13:06.796168+020028559241Malware Command and Control Activity Detected192.168.2.450017147.185.221.2251848TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: gPEbJi1xiY.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\kasper.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
            Multi AV Scanner detection for domain / URL
            Source: otherwise-puzzle.gl.at.ply.ggVirustotal: Detection: 6%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\kasper.exeReversingLabs: Detection: 76%
            Multi AV Scanner detection for submitted file
            Source: gPEbJi1xiY.exeReversingLabs: Detection: 76%
            Source: gPEbJi1xiY.exeVirustotal: Detection: 64%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\kasper.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: gPEbJi1xiY.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: gPEbJi1xiY.exeString decryptor: 127.0.0.1,otherwise-puzzle.gl.at.ply.gg
            Source: gPEbJi1xiY.exeString decryptor: 51848
            Source: gPEbJi1xiY.exeString decryptor: <123456789>
            Source: gPEbJi1xiY.exeString decryptor: <Xwormmm>
            Source: gPEbJi1xiY.exeString decryptor: XWorm V5.2
            Source: gPEbJi1xiY.exeString decryptor: USsfqeB.exe
            Source: gPEbJi1xiY.exeString decryptor: %AppData%
            Source: gPEbJi1xiY.exeString decryptor: kasper.exe
            Source: gPEbJi1xiY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: gPEbJi1xiY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50017 -> 147.185.221.22:51848
            Source: global trafficTCP traffic: 192.168.2.4:49744 -> 147.185.221.22:51848
            Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: otherwise-puzzle.gl.at.ply.gg
            Source: powershell.exe, 0000000B.00000002.2198921282.0000028CF8EA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 00000001.00000002.1751767424.0000021642E20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
            Source: powershell.exe, 00000001.00000002.1725836123.000002162A803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
            Source: powershell.exe, 00000001.00000002.1746782288.000002163A984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833069514.0000021FE4964000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1964756782.000001CF1A484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000004.00000002.1846106587.0000021FECF00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microso
            Source: powershell.exe, 00000001.00000002.1726118037.000002162AB39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD4B18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: gPEbJi1xiY.exe, 00000000.00000002.2927267383.0000000002581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1726118037.000002162A911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD48F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000001.00000002.1726118037.000002162AB39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD4B18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000001.00000002.1726118037.000002162A911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD48F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000001.00000002.1746782288.000002163A984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833069514.0000021FE4964000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1964756782.000001CF1A484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: gPEbJi1xiY.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.gPEbJi1xiY.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\kasper.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeCode function: 0_2_00007FFD9B8B2C290_2_00007FFD9B8B2C29
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeCode function: 0_2_00007FFD9B8B3C8C0_2_00007FFD9B8B3C8C
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B9630E91_2_00007FFD9B9630E9
            Source: C:\Users\user\AppData\Roaming\kasper.exeCode function: 16_2_00007FFD9B8A0DE816_2_00007FFD9B8A0DE8
            Source: C:\Users\user\AppData\Roaming\kasper.exeCode function: 17_2_00007FFD9B890DE817_2_00007FFD9B890DE8
            Source: C:\Users\user\AppData\Roaming\kasper.exeCode function: 19_2_00007FFD9B8A0DE819_2_00007FFD9B8A0DE8
            Source: gPEbJi1xiY.exe, 00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameqer.exe4 vs gPEbJi1xiY.exe
            Source: gPEbJi1xiY.exeBinary or memory string: OriginalFilenameqer.exe4 vs gPEbJi1xiY.exe
            Source: gPEbJi1xiY.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: gPEbJi1xiY.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.gPEbJi1xiY.exe.3c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Roaming\kasper.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: gPEbJi1xiY.exe, 8mR9KLvtILMfjup2nWfF4vMP49Cvm8XAvBw.csCryptographic APIs: 'TransformFinalBlock'
            Source: gPEbJi1xiY.exe, sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.csCryptographic APIs: 'TransformFinalBlock'
            Source: gPEbJi1xiY.exe, sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.csCryptographic APIs: 'TransformFinalBlock'
            Source: kasper.exe.0.dr, 8mR9KLvtILMfjup2nWfF4vMP49Cvm8XAvBw.csCryptographic APIs: 'TransformFinalBlock'
            Source: kasper.exe.0.dr, sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.csCryptographic APIs: 'TransformFinalBlock'
            Source: kasper.exe.0.dr, sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.csCryptographic APIs: 'TransformFinalBlock'
            Source: kasper.exe.0.dr, aPGSY26tAPv8Bn199JZ4oyl5dzclkbuKfxz.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: kasper.exe.0.dr, aPGSY26tAPv8Bn199JZ4oyl5dzclkbuKfxz.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: gPEbJi1xiY.exe, aPGSY26tAPv8Bn199JZ4oyl5dzclkbuKfxz.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: gPEbJi1xiY.exe, aPGSY26tAPv8Bn199JZ4oyl5dzclkbuKfxz.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@19/19@1/2
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile created: C:\Users\user\AppData\Roaming\kasper.exeJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\kasper.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2316:120:WilError_03
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeMutant created: \Sessions\1\BaseNamedObjects\oW2WLUgkEKUl7DFP
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7660:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5gd5v4e.hhq.ps1Jump to behavior
            Source: gPEbJi1xiY.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: gPEbJi1xiY.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: gPEbJi1xiY.exeReversingLabs: Detection: 76%
            Source: gPEbJi1xiY.exeVirustotal: Detection: 64%
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile read: C:\Users\user\Desktop\gPEbJi1xiY.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\gPEbJi1xiY.exe "C:\Users\user\Desktop\gPEbJi1xiY.exe"
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gPEbJi1xiY.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\kasper.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kasper.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe"
            Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\kasper.exe C:\Users\user\AppData\Roaming\kasper.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\kasper.exe C:\Users\user\AppData\Roaming\kasper.exe
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\kasper.exe C:\Users\user\AppData\Roaming\kasper.exe
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gPEbJi1xiY.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\kasper.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kasper.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe"Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\kasper.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: gPEbJi1xiY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: gPEbJi1xiY.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: gPEbJi1xiY.exe, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.t7OAp8Twp4kHdna7AxBO3usAHw9gieiNBhx,NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.P8CCpE9EVeJdCbNKlFs3LvHtnWq8whh66xP,NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.aNHzyCZsCGhOKxO9EoyQUKcMtDZ94U6ZD8t,NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.EDO2wqjPHSddW5oE4wSdbcB2HgukaC0U0he,sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.R4WchdemLhOZBJ9eOeZYv82UyQj8JCzobRiTyQOyxsRZLBMsUog9hdanha8RhEkV40H()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: gPEbJi1xiY.exe, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_2XRkXlLsPVX6bNCh8xCCtQTfwlEoVJraHoA[2],sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.QSNfifvoY2s9yiWMynq0dhJVn4yJ2SmmFCBVIJLBT9OGtS73CLDwKpT8uA7W2I1jonj(Convert.FromBase64String(_2XRkXlLsPVX6bNCh8xCCtQTfwlEoVJraHoA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: gPEbJi1xiY.exe, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _2XRkXlLsPVX6bNCh8xCCtQTfwlEoVJraHoA[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            Source: kasper.exe.0.dr, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.t7OAp8Twp4kHdna7AxBO3usAHw9gieiNBhx,NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.P8CCpE9EVeJdCbNKlFs3LvHtnWq8whh66xP,NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.aNHzyCZsCGhOKxO9EoyQUKcMtDZ94U6ZD8t,NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.EDO2wqjPHSddW5oE4wSdbcB2HgukaC0U0he,sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.R4WchdemLhOZBJ9eOeZYv82UyQj8JCzobRiTyQOyxsRZLBMsUog9hdanha8RhEkV40H()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: kasper.exe.0.dr, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{_2XRkXlLsPVX6bNCh8xCCtQTfwlEoVJraHoA[2],sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.QSNfifvoY2s9yiWMynq0dhJVn4yJ2SmmFCBVIJLBT9OGtS73CLDwKpT8uA7W2I1jonj(Convert.FromBase64String(_2XRkXlLsPVX6bNCh8xCCtQTfwlEoVJraHoA[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: kasper.exe.0.dr, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { _2XRkXlLsPVX6bNCh8xCCtQTfwlEoVJraHoA[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: gPEbJi1xiY.exe, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: s53Mo4MK57Ru2bxLevUnyd8fsPOAvbD8x6x System.AppDomain.Load(byte[])
            Source: gPEbJi1xiY.exe, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: xzSZZxB3rsoqyiyPEinGIUft3c0rYWeEgo9 System.AppDomain.Load(byte[])
            Source: gPEbJi1xiY.exe, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: xzSZZxB3rsoqyiyPEinGIUft3c0rYWeEgo9
            Source: kasper.exe.0.dr, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: s53Mo4MK57Ru2bxLevUnyd8fsPOAvbD8x6x System.AppDomain.Load(byte[])
            Source: kasper.exe.0.dr, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: xzSZZxB3rsoqyiyPEinGIUft3c0rYWeEgo9 System.AppDomain.Load(byte[])
            Source: kasper.exe.0.dr, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.cs.Net Code: xzSZZxB3rsoqyiyPEinGIUft3c0rYWeEgo9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B77D2A5 pushad ; iretd 1_2_00007FFD9B77D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B962316 push 8B485F93h; iretd 1_2_00007FFD9B96231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B79D2A5 pushad ; iretd 4_2_00007FFD9B79D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8BC2C5 push ebx; iretd 4_2_00007FFD9B8BC2DA
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B8B19D8 pushad ; ret 4_2_00007FFD9B8B19E1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B982316 push 8B485F91h; iretd 4_2_00007FFD9B98231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B77D2A5 pushad ; iretd 7_2_00007FFD9B77D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FFD9B962316 push 8B485F93h; iretd 7_2_00007FFD9B96231B
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B75D2A5 pushad ; iretd 11_2_00007FFD9B75D2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FFD9B942316 push 8B485F95h; iretd 11_2_00007FFD9B94231B
            Source: gPEbJi1xiY.exe, NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.csHigh entropy of concatenated method names: 'KpJAZAjF0HPCGxbtA3xpTFOzift8DRHJmQpXSmpwASR2gS1PFt92X', 'WM5l549GXM6vgDJ5R0NxYQYGkhZoYEbDBGAhXGY0bfYxror0XwEWs', 'YdNTHCXmII95rQdDFbYAVcJTGhptkzL2iGBa3IjnK7NyxrXO9FbjB', 'OXQbilWMPX4ZCkJp4zONKd7KUsM4kQpdHjfHDlGsOUczn3y5HtLGC'
            Source: gPEbJi1xiY.exe, plAVVEBAJh3mDjelCJg2umABnx30zBLaOOaye4rka9yGOnJqSNmDGfnCvKiDtDmTl74.csHigh entropy of concatenated method names: 'pV5V6atjGq0YKgiXtOeb4wCOaQROiNz9AHB0x2AgIuGye9N6fhP2ulaGd6yEwzq38iZ', 'h8yvnZeiGetFatVOajvkXxKmCQPChjnkEqqNw7aojNAQvzMWaGJdUpdri0F2GXBo5kQ', 'q9VWoFPNkJbDj3l9ewLxeJ04A7cWuBKsuE0XgjnENhg8iaAwq0FTYqfc9dLe2PBsi5Q', '_6x2p52LGy5ygewfDNnJFg4WN7eS', 'ICJ74FbNFU56QBL4b9TKdF3qes9', 'd4zxbtci4n9b6UGFeGYWt0xqXGe', 'vF7L5UjVYpwiUdsBridwX4o181N', 'MkOUhwhbjWLFiqqmAEhkpx5SIPO', '_5cVAx37JJ0IpKMHVOH1PAPF1bP2', 'nHP4r6ZPXesZhLRWIEQNyswMiDe'
            Source: gPEbJi1xiY.exe, ulv3ZgSwIKdpS4Jj44JXg34jSQlVJVtDrKM.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3LlBcIqmOiLOmXW83mJUsNp3TOLIXXg3sX5i9UJpgvPMW6zuUVqaF', 'cAUa01Xca3bkkFRTVE0Aksp1lfaWhEJkbcG8w5Xp0Pz6vqkRLP2kQ', 'wlZvr6O7sx6rCwn298cLX2sBkupR32p9OcxS81RUxT3vriqI56h2a', 'FRBiw82Km0tI2DVHFlda9DEo7AGxVRh6yh2s139jVZ0PZFvbsREB8'
            Source: gPEbJi1xiY.exe, trYnnxBmKFwCVqUuijrD7p5Q892zdCdSZXJ.csHigh entropy of concatenated method names: 'SBOL7tfXFETzd3ZzA7UFDXBN28JTYY7hkMy', '_6dgAi7GLhKtrkFb0nI8luyNd77ZWUC44f69', 'DQvh4MmvtEKumoSuQefxVETKcEpzzLqefcL', 'xKK6Hs7Zihzx0q6FCWE1RuMdWfuv97OyzwP', 'gwOMl1Aeks7TjRc6920rLsBsc6wc7kFa31xyD4P2qEPUaDlFDfDgAITRG2JZ61BYJxJy676bECKazLYk8bzgI', 'Z1dC6KB14ry4rXcHbujBk9vq25CD07pxvlSLmB2cZnh1oq1MIzPSQu0aeiZZwfxiPelfAAyeXGCjr7gvojr9C', 'tnk1x6mIxkINfCqhAQLB0GWl3h3SuWtXHtDe2xxuWXh18oUcGd83dpnJYFEoEQMX5CwpuQsCV6SlYCwV6i1oJ', 'Lj9jV7t3O5KUjH35TxvZ4HCdMy4JZXw45MrtwYbuQ2YlI6DafbhajRfafAXt9MGjTaKBmeWyVjRXMejTHrHAe', 'osUyij2eFVVOJtpvr8H2qtVC2ACSOLmTxfLffUJAz3NtuuGjAPPwkOzpWqsJFq6JmkvVgyObmxoSAWH7qLnKP', 'LEkbsZf7C9SHV7eGV445RkJANpO0eHu6N5hPsodMufL6Q9VimonjFQ0cKayksSFvtvDIjPd9osCw94y2a2YYT'
            Source: gPEbJi1xiY.exe, aPGSY26tAPv8Bn199JZ4oyl5dzclkbuKfxz.csHigh entropy of concatenated method names: '_3q53UJb5IL44pEluF5YCPOPEFlBeUjN4esU', 'rtt4gKseiEBoB3pamScnk3Y7virTKsxUJie', 'B1bwpDSzg0kDwVMIQtXXfHt7eYCHGsEfJNC', 'uFvco9LxAaSIs35JhMinmq1QWD22ufzQzPD', 'N4g34D3Jvnr7z4uN6r7nHFEnK8uW9t9Mufa', '_3Gbra4qbIZdrV9GHOhK3E7j5u7Uln8srVja', '_1Bs6TNPE4Je8wfvuCebZLw59zvgMcCsT4UJ', 'gQtGcevtdnCvmrop5aey4QVXenGE9fcj3mP', 'BWGePUH6OOub4q7iGUBGQh8p6T1BLGt5qt3', 'qNlE80xw45Q3ZSxJon5unx8YsgZEWtIHht6'
            Source: gPEbJi1xiY.exe, q2jSNUIzc7AzlZXmlhzj6tNzfWidaw6X2M5.csHigh entropy of concatenated method names: 'FZR6RBQ3icb4ZNGaD7PDcqsXGZSiu9TZiOi', 'OAoHMJPVLXsGphcpUz63irc9qTiJValbpJv6ZKZO4adJAKTcr1jkNy2LhZu8yKM9KZzW8vvjh3pjTdchIrkcQ', 'nqKY9OEjqJ1FCA6syJUdQeYbx6a1vv0bnbkPZ0nbTsaBe4Bl628OBTlqVzYnHOjQRnIUCeyCEwbEN820HR76I', 'y6yJEacjV24k14cmzAfUftjNemySlXbuuzOvcjzfjWmldEcaFAPrB4A8Ku2sCGzg3TanS1GduEgQ0c8w4dJe4', 'UREYKfqzZBToat7okPktWogosH2vnXyRjTrSKahRbbj1EnWKJUaE3ASJX5umngmVD1xh1XRfvf9j9fzIxOxmx'
            Source: gPEbJi1xiY.exe, 8mR9KLvtILMfjup2nWfF4vMP49Cvm8XAvBw.csHigh entropy of concatenated method names: 'fe7HqoZPoozxioqb2kdoXR4UpAoZoknChIf', 'ILNPyBKuo0xKrTrg1zW2GxqyBahZ84hmDrxvjGVWxcNVLdrCE8g7WPW4Qb1Elc7B7agBkGgpIY4QsZ8R8IPZq', 'GzdMri3kcCAra4iors1yTUUdHE5zkwfpJbPVOh8RM0GQhhc5fdIDcvYVjDSaZ0P3G31jFM73p5PHyyQ9d5DE2', 'R0XJ84Tixzwxvt0FJ1o56AI6Qx96lYPmMzwwIq28ABR2KhT4NKAXhxPIIJLI9KD0ickmqv4LivZSojwITibp3', 'lZBw6IGLjS4sv9otYz6dsQTJi96kJARONtSWtJ3muiAVHJpzYHbtd4sTxRysHXagNMStnWdVrDpozzsFKZXl1'
            Source: gPEbJi1xiY.exe, 2Un4hAuDGIqZLv4eFzWR9nTULTZGghkboof.csHigh entropy of concatenated method names: 'HEBMFwZbakewwENnyvesPbetLLdjliJn2CF', 'rYbJSWNWLN1J5keRpv6wct8kjT2ri8QPSim', 'ro9RAhJLQi2UsZlcmmWVppjC8UBcRRvI2xO', 'xHJ3nKn4ujlh8IPaNW3IGv9kgxaGZAPNbUv0A5fGnWHI3sG40vWg75xSmR4PesmIQxbyIKMInB4oFICPvRClF', '_2NMfS5m6m0yjzoNJBhDgHHXSKQ4I6ORxEzer9QoHzyIWYb1ORncrLGPh1FH7xEJVwxUwtQT9WNFVPaUjH76aB', 'kcklueznBPkxmWW6QX6vHgsHH3JzEKPNuQGiBbuDpz8mdtNqmapxHXfrHBh6uJzwHLBuFeZNp06mCQU86LOiM', 'IBvPAoo6CvxUeXQvdBiDIipcob2SB4VZP9ePCySIC8pd2SpGfdLVkrL9iig7GyoLNrUoIWEmfxMXzeumOkloc', 'wflnrf8vFxO2MnZL0JuXop4KT1Cyn41Q1HF8ZoT7wo9zEQ5d9Y3sXoXyASo7VIGRRtLXFLL4gIgjp2gDapSkS', '_0U5tqFP5nBeSl3jXY8dpi4eZ9w1cNXbyEVYpfWeQ54XGNWcDBeovLZSTdRtdsMhdeMKna4j4IulxX5nMVz76j', '_5XXmo7bhKxkG1sY9diayd0qbRd2LCi3iqhOUB8WZXlXr4ay4Rw52sVQlUXfTbXrBChHHJ4o4YCgwmJB6PDCic'
            Source: gPEbJi1xiY.exe, kLSdC4B8KSnyKnzjSwajECPxLhzhN7RJwGf.csHigh entropy of concatenated method names: '_2XazCwNsE15gVhJ5bBzL8C3j3OoFrymuvfo', 'InWKVrcz3cNPBZ2nOBb7OtBrRG1JLIsSPs6', 'afhahnXDd1RW7RHlnJ7Xf1srZtMrTORcuTB', 'onkYBAYIeEPtjktyccdOmSo9DGsaZpY4P8H', 'SkkVlAWFkF6pT7uGkRf8HL38p2S2DGMjIRiSUuSU2KIsL4fMZ2c5o', 'F9AWClSCpQI9RDKh2w4ODcfgzfibWu5nSlTkgLRUzX0CYexVkdOUo', 'JE54hdQ1StoWaSKSH7KsUhkg30zCg6eld6g4aF4bb2cD1WlC0ajGl', 'hOTRZ6k7mjgl18Ugi0ddCaNtdPNjMr8bHiUWAvG83LEFvMUOj1MYh', 'lYCdIGu27jBvHJk1JpAnvoVl6BHKCHOO9AJhdVNdxrE8XNEkasLl7', 'jPsXK2pA2LAT05gURMu4NSoUzvqUqID3yCwyYG583x0sDAPFRghh9'
            Source: gPEbJi1xiY.exe, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.csHigh entropy of concatenated method names: '_0q7dQs69wTEp4vOf7WFkoX0QfCtt1C7yUaD', 's53Mo4MK57Ru2bxLevUnyd8fsPOAvbD8x6x', 'haS4zoCOettpC13GY72asPeBq2AsdrnlJmw', 'eRqhNYeUVqsOSC0iQKjkrMFsFK033fAXfo8', 'E9UTmlM9mCYat5EmEMel0gm4N0yNSXDq0Xc', 'DgtjkwbF0FSiFmU0qeBOe2hD4xmFhQ0Etmc', '_5q1vpkJjWpp6ga4eUzYQaP930OJHB6WyymA', '_3QJJwEO9QCfEBD3TXYVY3t8vXGhljY70mG2', 't5elxk0soSShCvg5O2oOnqFWJY7HnbDK6LN', 'ln4VEg4Gn2yqmdayuAufmhpvbuutAiXIHs8'
            Source: gPEbJi1xiY.exe, sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.csHigh entropy of concatenated method names: 'TmSYXMf6oPMl6V4BoIepCrkrsg2cE1R8sJS', 'm5DsU8lKFoaxATB52lAk3xVQmSvZQWWs28c', '_8sUFRIygcLlKn8GifrZm7Rb5TeEgg7INKzsijxgw2YFVKpg724xOIvQoSOdFm9pBD88', 'NXpltpTFuUu7ni4ajgcLbHZi8C5RG7OLKeDeaHyX0RVLQhVoLRQqut4UOYGVEzrAj8E', 'jNHXBRLZhBaHLc0FdioOZsl3gtt9RB8KrYGjuMzR2Rg1rL4z44lp7y2WmzXS4rTfTUu', 'b0PtqZdW9qnHw3MMkri6DLE0P97JCrrWSxpJUTwOHtx9tswycWhLtEo41k1jgb0mpCM', 'Gq3jwvSf47OI2jn9Zw94fRuy69lZvrILwW7HGReMQUBf2XZq27aIMy14l4p8ppM787V', 'rEK2mW196O092ULsAs8zikKH5Ftqo5Y31yuL8vi0M1ScuCIob3LvKTcgLIhCRQ7KAem', 'C4S0LCTJDvGotgYccNqv5rkfBT0NzlC1TN70Jo7vtIYs5B8LUpUWkfq5dsMVVS4cgju', 'NqTIxbtkOn479Xbf8priqxLuftWTfEnY1PfvPZrJC3wkFvpnvOysPI0b6lN94KhhDAC'
            Source: kasper.exe.0.dr, NODThFUSvJ98m8qY3lH3LjO3EWGIVqBTlCO.csHigh entropy of concatenated method names: 'KpJAZAjF0HPCGxbtA3xpTFOzift8DRHJmQpXSmpwASR2gS1PFt92X', 'WM5l549GXM6vgDJ5R0NxYQYGkhZoYEbDBGAhXGY0bfYxror0XwEWs', 'YdNTHCXmII95rQdDFbYAVcJTGhptkzL2iGBa3IjnK7NyxrXO9FbjB', 'OXQbilWMPX4ZCkJp4zONKd7KUsM4kQpdHjfHDlGsOUczn3y5HtLGC'
            Source: kasper.exe.0.dr, plAVVEBAJh3mDjelCJg2umABnx30zBLaOOaye4rka9yGOnJqSNmDGfnCvKiDtDmTl74.csHigh entropy of concatenated method names: 'pV5V6atjGq0YKgiXtOeb4wCOaQROiNz9AHB0x2AgIuGye9N6fhP2ulaGd6yEwzq38iZ', 'h8yvnZeiGetFatVOajvkXxKmCQPChjnkEqqNw7aojNAQvzMWaGJdUpdri0F2GXBo5kQ', 'q9VWoFPNkJbDj3l9ewLxeJ04A7cWuBKsuE0XgjnENhg8iaAwq0FTYqfc9dLe2PBsi5Q', '_6x2p52LGy5ygewfDNnJFg4WN7eS', 'ICJ74FbNFU56QBL4b9TKdF3qes9', 'd4zxbtci4n9b6UGFeGYWt0xqXGe', 'vF7L5UjVYpwiUdsBridwX4o181N', 'MkOUhwhbjWLFiqqmAEhkpx5SIPO', '_5cVAx37JJ0IpKMHVOH1PAPF1bP2', 'nHP4r6ZPXesZhLRWIEQNyswMiDe'
            Source: kasper.exe.0.dr, ulv3ZgSwIKdpS4Jj44JXg34jSQlVJVtDrKM.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', '_3LlBcIqmOiLOmXW83mJUsNp3TOLIXXg3sX5i9UJpgvPMW6zuUVqaF', 'cAUa01Xca3bkkFRTVE0Aksp1lfaWhEJkbcG8w5Xp0Pz6vqkRLP2kQ', 'wlZvr6O7sx6rCwn298cLX2sBkupR32p9OcxS81RUxT3vriqI56h2a', 'FRBiw82Km0tI2DVHFlda9DEo7AGxVRh6yh2s139jVZ0PZFvbsREB8'
            Source: kasper.exe.0.dr, trYnnxBmKFwCVqUuijrD7p5Q892zdCdSZXJ.csHigh entropy of concatenated method names: 'SBOL7tfXFETzd3ZzA7UFDXBN28JTYY7hkMy', '_6dgAi7GLhKtrkFb0nI8luyNd77ZWUC44f69', 'DQvh4MmvtEKumoSuQefxVETKcEpzzLqefcL', 'xKK6Hs7Zihzx0q6FCWE1RuMdWfuv97OyzwP', 'gwOMl1Aeks7TjRc6920rLsBsc6wc7kFa31xyD4P2qEPUaDlFDfDgAITRG2JZ61BYJxJy676bECKazLYk8bzgI', 'Z1dC6KB14ry4rXcHbujBk9vq25CD07pxvlSLmB2cZnh1oq1MIzPSQu0aeiZZwfxiPelfAAyeXGCjr7gvojr9C', 'tnk1x6mIxkINfCqhAQLB0GWl3h3SuWtXHtDe2xxuWXh18oUcGd83dpnJYFEoEQMX5CwpuQsCV6SlYCwV6i1oJ', 'Lj9jV7t3O5KUjH35TxvZ4HCdMy4JZXw45MrtwYbuQ2YlI6DafbhajRfafAXt9MGjTaKBmeWyVjRXMejTHrHAe', 'osUyij2eFVVOJtpvr8H2qtVC2ACSOLmTxfLffUJAz3NtuuGjAPPwkOzpWqsJFq6JmkvVgyObmxoSAWH7qLnKP', 'LEkbsZf7C9SHV7eGV445RkJANpO0eHu6N5hPsodMufL6Q9VimonjFQ0cKayksSFvtvDIjPd9osCw94y2a2YYT'
            Source: kasper.exe.0.dr, aPGSY26tAPv8Bn199JZ4oyl5dzclkbuKfxz.csHigh entropy of concatenated method names: '_3q53UJb5IL44pEluF5YCPOPEFlBeUjN4esU', 'rtt4gKseiEBoB3pamScnk3Y7virTKsxUJie', 'B1bwpDSzg0kDwVMIQtXXfHt7eYCHGsEfJNC', 'uFvco9LxAaSIs35JhMinmq1QWD22ufzQzPD', 'N4g34D3Jvnr7z4uN6r7nHFEnK8uW9t9Mufa', '_3Gbra4qbIZdrV9GHOhK3E7j5u7Uln8srVja', '_1Bs6TNPE4Je8wfvuCebZLw59zvgMcCsT4UJ', 'gQtGcevtdnCvmrop5aey4QVXenGE9fcj3mP', 'BWGePUH6OOub4q7iGUBGQh8p6T1BLGt5qt3', 'qNlE80xw45Q3ZSxJon5unx8YsgZEWtIHht6'
            Source: kasper.exe.0.dr, q2jSNUIzc7AzlZXmlhzj6tNzfWidaw6X2M5.csHigh entropy of concatenated method names: 'FZR6RBQ3icb4ZNGaD7PDcqsXGZSiu9TZiOi', 'OAoHMJPVLXsGphcpUz63irc9qTiJValbpJv6ZKZO4adJAKTcr1jkNy2LhZu8yKM9KZzW8vvjh3pjTdchIrkcQ', 'nqKY9OEjqJ1FCA6syJUdQeYbx6a1vv0bnbkPZ0nbTsaBe4Bl628OBTlqVzYnHOjQRnIUCeyCEwbEN820HR76I', 'y6yJEacjV24k14cmzAfUftjNemySlXbuuzOvcjzfjWmldEcaFAPrB4A8Ku2sCGzg3TanS1GduEgQ0c8w4dJe4', 'UREYKfqzZBToat7okPktWogosH2vnXyRjTrSKahRbbj1EnWKJUaE3ASJX5umngmVD1xh1XRfvf9j9fzIxOxmx'
            Source: kasper.exe.0.dr, 8mR9KLvtILMfjup2nWfF4vMP49Cvm8XAvBw.csHigh entropy of concatenated method names: 'fe7HqoZPoozxioqb2kdoXR4UpAoZoknChIf', 'ILNPyBKuo0xKrTrg1zW2GxqyBahZ84hmDrxvjGVWxcNVLdrCE8g7WPW4Qb1Elc7B7agBkGgpIY4QsZ8R8IPZq', 'GzdMri3kcCAra4iors1yTUUdHE5zkwfpJbPVOh8RM0GQhhc5fdIDcvYVjDSaZ0P3G31jFM73p5PHyyQ9d5DE2', 'R0XJ84Tixzwxvt0FJ1o56AI6Qx96lYPmMzwwIq28ABR2KhT4NKAXhxPIIJLI9KD0ickmqv4LivZSojwITibp3', 'lZBw6IGLjS4sv9otYz6dsQTJi96kJARONtSWtJ3muiAVHJpzYHbtd4sTxRysHXagNMStnWdVrDpozzsFKZXl1'
            Source: kasper.exe.0.dr, 2Un4hAuDGIqZLv4eFzWR9nTULTZGghkboof.csHigh entropy of concatenated method names: 'HEBMFwZbakewwENnyvesPbetLLdjliJn2CF', 'rYbJSWNWLN1J5keRpv6wct8kjT2ri8QPSim', 'ro9RAhJLQi2UsZlcmmWVppjC8UBcRRvI2xO', 'xHJ3nKn4ujlh8IPaNW3IGv9kgxaGZAPNbUv0A5fGnWHI3sG40vWg75xSmR4PesmIQxbyIKMInB4oFICPvRClF', '_2NMfS5m6m0yjzoNJBhDgHHXSKQ4I6ORxEzer9QoHzyIWYb1ORncrLGPh1FH7xEJVwxUwtQT9WNFVPaUjH76aB', 'kcklueznBPkxmWW6QX6vHgsHH3JzEKPNuQGiBbuDpz8mdtNqmapxHXfrHBh6uJzwHLBuFeZNp06mCQU86LOiM', 'IBvPAoo6CvxUeXQvdBiDIipcob2SB4VZP9ePCySIC8pd2SpGfdLVkrL9iig7GyoLNrUoIWEmfxMXzeumOkloc', 'wflnrf8vFxO2MnZL0JuXop4KT1Cyn41Q1HF8ZoT7wo9zEQ5d9Y3sXoXyASo7VIGRRtLXFLL4gIgjp2gDapSkS', '_0U5tqFP5nBeSl3jXY8dpi4eZ9w1cNXbyEVYpfWeQ54XGNWcDBeovLZSTdRtdsMhdeMKna4j4IulxX5nMVz76j', '_5XXmo7bhKxkG1sY9diayd0qbRd2LCi3iqhOUB8WZXlXr4ay4Rw52sVQlUXfTbXrBChHHJ4o4YCgwmJB6PDCic'
            Source: kasper.exe.0.dr, kLSdC4B8KSnyKnzjSwajECPxLhzhN7RJwGf.csHigh entropy of concatenated method names: '_2XazCwNsE15gVhJ5bBzL8C3j3OoFrymuvfo', 'InWKVrcz3cNPBZ2nOBb7OtBrRG1JLIsSPs6', 'afhahnXDd1RW7RHlnJ7Xf1srZtMrTORcuTB', 'onkYBAYIeEPtjktyccdOmSo9DGsaZpY4P8H', 'SkkVlAWFkF6pT7uGkRf8HL38p2S2DGMjIRiSUuSU2KIsL4fMZ2c5o', 'F9AWClSCpQI9RDKh2w4ODcfgzfibWu5nSlTkgLRUzX0CYexVkdOUo', 'JE54hdQ1StoWaSKSH7KsUhkg30zCg6eld6g4aF4bb2cD1WlC0ajGl', 'hOTRZ6k7mjgl18Ugi0ddCaNtdPNjMr8bHiUWAvG83LEFvMUOj1MYh', 'lYCdIGu27jBvHJk1JpAnvoVl6BHKCHOO9AJhdVNdxrE8XNEkasLl7', 'jPsXK2pA2LAT05gURMu4NSoUzvqUqID3yCwyYG583x0sDAPFRghh9'
            Source: kasper.exe.0.dr, 5QGUCMBcGvkiljphnwBU4ENspMlPZXixJmd.csHigh entropy of concatenated method names: '_0q7dQs69wTEp4vOf7WFkoX0QfCtt1C7yUaD', 's53Mo4MK57Ru2bxLevUnyd8fsPOAvbD8x6x', 'haS4zoCOettpC13GY72asPeBq2AsdrnlJmw', 'eRqhNYeUVqsOSC0iQKjkrMFsFK033fAXfo8', 'E9UTmlM9mCYat5EmEMel0gm4N0yNSXDq0Xc', 'DgtjkwbF0FSiFmU0qeBOe2hD4xmFhQ0Etmc', '_5q1vpkJjWpp6ga4eUzYQaP930OJHB6WyymA', '_3QJJwEO9QCfEBD3TXYVY3t8vXGhljY70mG2', 't5elxk0soSShCvg5O2oOnqFWJY7HnbDK6LN', 'ln4VEg4Gn2yqmdayuAufmhpvbuutAiXIHs8'
            Source: kasper.exe.0.dr, sNEKlrI4kVbJxLMfv32FlgTB8THRWQmEECD.csHigh entropy of concatenated method names: 'TmSYXMf6oPMl6V4BoIepCrkrsg2cE1R8sJS', 'm5DsU8lKFoaxATB52lAk3xVQmSvZQWWs28c', '_8sUFRIygcLlKn8GifrZm7Rb5TeEgg7INKzsijxgw2YFVKpg724xOIvQoSOdFm9pBD88', 'NXpltpTFuUu7ni4ajgcLbHZi8C5RG7OLKeDeaHyX0RVLQhVoLRQqut4UOYGVEzrAj8E', 'jNHXBRLZhBaHLc0FdioOZsl3gtt9RB8KrYGjuMzR2Rg1rL4z44lp7y2WmzXS4rTfTUu', 'b0PtqZdW9qnHw3MMkri6DLE0P97JCrrWSxpJUTwOHtx9tswycWhLtEo41k1jgb0mpCM', 'Gq3jwvSf47OI2jn9Zw94fRuy69lZvrILwW7HGReMQUBf2XZq27aIMy14l4p8ppM787V', 'rEK2mW196O092ULsAs8zikKH5Ftqo5Y31yuL8vi0M1ScuCIob3LvKTcgLIhCRQ7KAem', 'C4S0LCTJDvGotgYccNqv5rkfBT0NzlC1TN70Jo7vtIYs5B8LUpUWkfq5dsMVVS4cgju', 'NqTIxbtkOn479Xbf8priqxLuftWTfEnY1PfvPZrJC3wkFvpnvOysPI0b6lN94KhhDAC'
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile created: C:\Users\user\AppData\Roaming\kasper.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe"

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeMemory allocated: 23D0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeMemory allocated: 1A580000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exeMemory allocated: 930000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\kasper.exeMemory allocated: 1A770000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\kasper.exeMemory allocated: ED0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\kasper.exeMemory allocated: 1AC10000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\kasper.exeMemory allocated: C40000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\kasper.exeMemory allocated: 1A650000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\kasper.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWindow / User API: threadDelayed 3728Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWindow / User API: threadDelayed 6077Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5121Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4634Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6319Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3403Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7035Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2576Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6676Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3001Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exe TID: 1068Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep time: -6456360425798339s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7772Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2568Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exe TID: 6964Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\kasper.exe TID: 7664Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\kasper.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\kasper.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\kasper.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\kasper.exeThread delayed: delay time: 922337203685477
            Source: gPEbJi1xiY.exe, 00000000.00000002.2956714991.000000001B301000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"1"
            Source: gPEbJi1xiY.exe, 00000000.00000002.2956714991.000000001B301000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW"
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\kasper.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe'
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\kasper.exe'
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\kasper.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe'
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gPEbJi1xiY.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\kasper.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kasper.exe'Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe"Jump to behavior
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeQueries volume information: C:\Users\user\Desktop\gPEbJi1xiY.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\kasper.exeQueries volume information: C:\Users\user\AppData\Roaming\kasper.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kasper.exeQueries volume information: C:\Users\user\AppData\Roaming\kasper.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\kasper.exeQueries volume information: C:\Users\user\AppData\Roaming\kasper.exe VolumeInformation
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: gPEbJi1xiY.exe, 00000000.00000002.2956714991.000000001B340000.00000004.00000020.00020000.00000000.sdmp, gPEbJi1xiY.exe, 00000000.00000002.2956714991.000000001B30E000.00000004.00000020.00020000.00000000.sdmp, gPEbJi1xiY.exe, 00000000.00000002.2918869746.0000000000836000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\gPEbJi1xiY.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: gPEbJi1xiY.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.gPEbJi1xiY.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gPEbJi1xiY.exe PID: 7320, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kasper.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: gPEbJi1xiY.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.gPEbJi1xiY.exe.3c0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: gPEbJi1xiY.exe PID: 7320, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\kasper.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            PowerShell            		Logon Script (Windows)1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1538052 Sample: gPEbJi1xiY.exe Startdate: 20/10/2024 Architecture: WINDOWS Score: 100 40 otherwise-puzzle.gl.at.ply.gg 2->40 46 Multi AV Scanner detection for domain / URL 2->46 48 Suricata IDS alerts for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 9 other signatures 2->52 8 gPEbJi1xiY.exe 4 2->8         started        13 kasper.exe 2->13         started        15 kasper.exe 2->15         started        17 kasper.exe 2->17         started        signatures3 process4 dnsIp5 42 otherwise-puzzle.gl.at.ply.gg 147.185.221.22, 49744, 49827, 49865 SALSGIVERUS United States 8->42 44 127.0.0.1 unknown unknown 8->44 38 C:\Users\user\AppData\Roaming\kasper.exe, PE32 8->38 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 2 other signatures 8->68 19 powershell.exe 23 8->19         started        22 powershell.exe 23 8->22         started        24 powershell.exe 23 8->24         started        26 2 other processes 8->26 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 54 Loading BitLocker PowerShell Module 19->54 28 conhost.exe 19->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            gPEbJi1xiY.exe76%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
            gPEbJi1xiY.exe64%VirustotalBrowse
            gPEbJi1xiY.exe100%AviraHEUR/AGEN.1305769
            gPEbJi1xiY.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\kasper.exe100%AviraHEUR/AGEN.1305769
            C:\Users\user\AppData\Roaming\kasper.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\kasper.exe76%ReversingLabsByteCode-MSIL.Trojan.Jalapeno

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            otherwise-puzzle.gl.at.ply.gg6%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://nuget.org/NuGet.exe0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
            http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
            https://contoso.com/0%URL Reputationsafe
            https://nuget.org/nuget.exe0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://aka.ms/pscore680%URL Reputationsafe
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://crl.v0%URL Reputationsafe
            http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
            https://github.com/Pester/Pester1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            otherwise-puzzle.gl.at.ply.gg
            		147.185.221.22
            		truetrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.microsopowershell.exe, 00000004.00000002.1846106587.0000021FECF00000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1746782288.000002163A984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833069514.0000021FE4964000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1964756782.000001CF1A484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1726118037.000002162AB39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD4B18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1726118037.000002162AB39000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD4B18000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A639000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1746782288.000002163A984000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1833069514.0000021FE4964000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1964756782.000001CF1A484000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://crl.micpowershell.exe, 0000000B.00000002.2198921282.0000028CF8EA8000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2143659215.0000028C90071000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000001.00000002.1726118037.000002162A911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD48F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80001000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegPEbJi1xiY.exe, 00000000.00000002.2927267383.0000000002581000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1726118037.000002162A911000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1780676428.0000021FD48F1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.1876985787.000001CF0A411000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2020924810.0000028C80001000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://crl.vpowershell.exe, 00000001.00000002.1725836123.000002162A803000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2020924810.0000028C80229000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                http://crl.microspowershell.exe, 00000001.00000002.1751767424.0000021642E20000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  147.185.221.22
                  		otherwise-puzzle.gl.at.ply.ggUnited States
                  		12087SALSGIVERUStrue

                  Private

                  IP
                  127.0.0.1

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1538052
                  Start date and time:2024-10-20 06:10:06 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 6m 17s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:20
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:gPEbJi1xiY.exe
                  renamed because original name is a hash value
                  Original Sample Name:e9bfdf319ad612048b093c525c542638.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@19/19@1/2
                  EGA Information:
                  • Successful, ratio: 12.5%
                  HCA Information:
                  • Successful, ratio: 98%
                  • Number of executed functions: 61
                  • Number of non-executed functions: 4
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target kasper.exe, PID 7416 because it is empty
                  • Execution Graph export aborted for target kasper.exe, PID 7476 because it is empty
                  • Execution Graph export aborted for target kasper.exe, PID 7920 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 5500 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 7404 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 7652 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 7896 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  00:10:59API Interceptor46x Sleep call for process: powershell.exe modified
                  00:11:52API Interceptor213443x Sleep call for process: gPEbJi1xiY.exe modified
                  05:11:53Task SchedulerRun new task: kasper path: C:\Users\user\AppData\Roaming\kasper.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  147.185.221.22dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                    432mtXKD3l.exeGet hashmaliciousXWormBrowse
                      l18t80u9zg.exeGet hashmaliciousXWormBrowse
                        Windows Defender.exeGet hashmaliciousXWormBrowse
                          e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse
                            SecuriteInfo.com.Trojan.MulDrop28.25270.15094.4444.exeGet hashmaliciousNjratBrowse
                              Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                e4L9TXRBhB.exeGet hashmaliciousXWormBrowse
                                  BootstrapperV1.19.exeGet hashmaliciousXWormBrowse
                                    wSVyC8FY.exeGet hashmaliciousXWormBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      SALSGIVERUSlx3vLwrX57.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23
                                      arm7.elfGet hashmaliciousUnknownBrowse
                                      • 147.168.93.87
                                      file.exeGet hashmaliciousAsyncRATBrowse
                                      • 147.185.221.20
                                      arm7.elfGet hashmaliciousUnknownBrowse
                                      • 147.168.203.92
                                      MjrlHJvNyq.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.20
                                      r8k29DBraE.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.18
                                      SpeedHack666Cheat (no VM detected).exeGet hashmaliciousNjrat, RevengeRATBrowse
                                      • 147.185.221.23
                                      mIURiU8n2P.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.21
                                      8svMXMXNRn.exeGet hashmaliciousNoCry, XWormBrowse
                                      • 147.185.221.23
                                      7yJsmmW4wS.exeGet hashmaliciousXWormBrowse
                                      • 147.185.221.23

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\kasper.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\kasper.exe
                                      File Type:CSV text
                                      Category:dropped
                                      Size (bytes):654
                                      Entropy (8bit):5.380476433908377
                                      Encrypted:false
                                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                      MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                      SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                      SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                      SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                      Malicious:false
                                      Reputation:moderate, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:modified
                                      Size (bytes):64
                                      Entropy (8bit):0.34726597513537405
                                      Encrypted:false
                                      SSDEEP:3:Nlll:Nll
                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                      Malicious:false
                                      Preview:@...e...........................................................

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1s4oruvu.z0d.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a3yzocwq.fmu.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eexe00xp.tol.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gl2qsjwo.paa.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gv2svidy.dzv.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhhsipqs.tgr.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i5lnkf1s.isu.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_itm1cf0j.5dw.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4soey0k.q0g.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwsfh325.sns.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lcbrqs5z.mwl.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mhihxn5t.f0w.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p5gd5v4e.hhq.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_reocv4yq.42c.ps1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whwszewt.uoj.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yr0wtw0h.ryb.psm1

                                      Download File
                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Roaming\kasper.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\gPEbJi1xiY.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):74240
                                      Entropy (8bit):5.966945440680784
                                      Encrypted:false
                                      SSDEEP:1536:wL0W9AqfO+RG++O4iTg5c/kb46LSrbB6dFe4b2OQy+H:O9Adh5c/kb4dBy2OQbH
                                      MD5:E9BFDF319AD612048B093C525C542638
                                      SHA1:5502F0CC6F1379BE1C71639CED806818CB5D40D7
                                      SHA-256:92C82638E25CAEB1878495704223BEA89D42C133F6604E276D821E902F2B0D51
                                      SHA-512:82398E75940B88C27F01CD218237CC11335BDAD2B024E9253425A07AB655EDFC21242E2F9E83EF36F8CC0730AB1B0B2F1C63F2E50A75F424FB7FD1F44516F851
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\kasper.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\kasper.exe, Author: ditekSHen
                                      Antivirus:
                                      • Antivirus: Avira, Detection: 100%
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 76%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..g.............................7... ...@....@.. ....................................@..................................6..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................6......H........c..........&.....................................................(....*.r...p*. ....*..(....*.r...p*. S...*.s.........s.........s.........s.........*.r...p*. ....*.r...p*. K...*.r...p*. .s..*.rW..p*. E/..*.r...p*. .!..*..((...*.r2..p*. .~..*.r...p*. a...*&(....&+.*.+5sL... .... .'..oM...(*...~....-.(D...(6...~....oN...&.-.*.r...p*. 9...*.rX..p*. ~.H.*.r...p*. Zq..*.r0..p*. ...*.r...p*. }...*..............j..................sO..............~.........*"(F...+.*:.t....

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):5.966945440680784
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:gPEbJi1xiY.exe
                                      File size:74'240 bytes
                                      MD5:e9bfdf319ad612048b093c525c542638
                                      SHA1:5502f0cc6f1379be1c71639ced806818cb5d40d7
                                      SHA256:92c82638e25caeb1878495704223bea89d42c133f6604e276d821e902f2b0d51
                                      SHA512:82398e75940b88c27f01cd218237cc11335bdad2b024e9253425a07ab655edfc21242e2f9e83ef36f8cc0730ab1b0b2f1c63f2e50a75f424fb7fd1f44516f851
                                      SSDEEP:1536:wL0W9AqfO+RG++O4iTg5c/kb46LSrbB6dFe4b2OQy+H:O9Adh5c/kb4dBy2OQbH
                                      TLSH:C8737D683BE94129F2BF9FB52EF07152C639F7232803955F28D4428B4B23985CD516FA
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..g.............................7... ...@....@.. ....................................@................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x41370e
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x6706CE5C [Wed Oct 9 18:41:32 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x136c00x4b.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4be.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x117140x11800dedddbd44d0520ea86cf194c5389243fFalse0.5941964285714286SysEx File -6.041000368205587IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x140000x4be0x60082e8195250b617358104fb3ce4795126False0.369140625data3.6876296225342107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x160000xc0x20053464e383ec66b61069f31ee92916cbdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0x140a00x234data0.46808510638297873
                                      RT_MANIFEST0x142d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-10-20T06:13:06.796168+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.450017147.185.221.2251848TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 20, 2024 06:11:56.101134062 CEST4974451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:11:56.106008053 CEST5184849744147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:11:56.106092930 CEST4974451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:11:56.271238089 CEST4974451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:11:56.276196957 CEST5184849744147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:03.719347000 CEST5184849744147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:03.719423056 CEST4974451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:04.264796972 CEST4974451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:04.269906044 CEST5184849744147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:13.594130039 CEST4982751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:13.599069118 CEST5184849827147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:13.599164963 CEST4982751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:13.622433901 CEST4982751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:13.627379894 CEST5184849827147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:21.347348928 CEST5184849827147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:21.347487926 CEST4982751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:22.486397028 CEST4982751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:22.487874985 CEST4986551848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:22.623191118 CEST5184849827147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:22.623229027 CEST5184849865147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:22.623315096 CEST4986551848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:22.639919043 CEST4986551848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:22.644922018 CEST5184849865147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:30.231259108 CEST5184849865147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:30.231333971 CEST4986551848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:32.733479977 CEST4986551848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:32.738481045 CEST5184849865147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:40.750050068 CEST4994451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:40.755593061 CEST5184849944147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:40.755681992 CEST4994451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:40.788623095 CEST4994451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:40.793543100 CEST5184849944147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:48.366180897 CEST5184849944147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:48.366298914 CEST4994451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:50.990114927 CEST4994451848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:50.995208979 CEST5184849944147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:51.008030891 CEST4998251848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:51.012957096 CEST5184849982147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:51.013098955 CEST4998251848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:51.115694046 CEST4998251848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:51.120702028 CEST5184849982147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:58.488044024 CEST4998251848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:58.493077040 CEST5184849982147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:58.631750107 CEST5184849982147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:58.631817102 CEST4998251848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:59.821611881 CEST4998251848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:59.824049950 CEST5001751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:59.826462984 CEST5184849982147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:59.829010963 CEST5184850017147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:12:59.829097033 CEST5001751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:59.934423923 CEST5001751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:12:59.939433098 CEST5184850017147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:13:06.796168089 CEST5001751848192.168.2.4147.185.221.22
                                      Oct 20, 2024 06:13:06.801129103 CEST5184850017147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:13:07.440001965 CEST5184850017147.185.221.22192.168.2.4
                                      Oct 20, 2024 06:13:07.440165043 CEST5001751848192.168.2.4147.185.221.22

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Oct 20, 2024 06:11:56.084697008 CEST6242853192.168.2.41.1.1.1
                                      Oct 20, 2024 06:11:56.097702980 CEST53624281.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Oct 20, 2024 06:11:56.084697008 CEST192.168.2.41.1.1.10x682eStandard query (0)otherwise-puzzle.gl.at.ply.ggA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Oct 20, 2024 06:11:56.097702980 CEST1.1.1.1192.168.2.40x682eNo error (0)otherwise-puzzle.gl.at.ply.gg147.185.221.22A (IP address)IN (0x0001)false

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:00:10:54
                                      Start date:20/10/2024
                                      Path:C:\Users\user\Desktop\gPEbJi1xiY.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\gPEbJi1xiY.exe"
                                      Imagebase:0x3c0000
                                      File size:74'240 bytes
                                      MD5 hash:E9BFDF319AD612048B093C525C542638
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1659848034.00000000003C2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:1
                                      Start time:00:10:58
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\gPEbJi1xiY.exe'
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:00:10:58
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:00:11:04
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'gPEbJi1xiY.exe'
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:00:11:04
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:00:11:14
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\kasper.exe'
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:00:11:14
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:00:11:29
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kasper.exe'
                                      Imagebase:0x7ff788560000
                                      File size:452'608 bytes
                                      MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:00:11:29
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:00:11:52
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\schtasks.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "kasper" /tr "C:\Users\user\AppData\Roaming\kasper.exe"
                                      Imagebase:0x7ff76f990000
                                      File size:235'008 bytes
                                      MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:00:11:52
                                      Start date:20/10/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:16
                                      Start time:00:11:53
                                      Start date:20/10/2024
                                      Path:C:\Users\user\AppData\Roaming\kasper.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\kasper.exe
                                      Imagebase:0x3f0000
                                      File size:74'240 bytes
                                      MD5 hash:E9BFDF319AD612048B093C525C542638
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\kasper.exe, Author: Joe Security
                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\kasper.exe, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Avira
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 76%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:00:12:01
                                      Start date:20/10/2024
                                      Path:C:\Users\user\AppData\Roaming\kasper.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\kasper.exe
                                      Imagebase:0x990000
                                      File size:74'240 bytes
                                      MD5 hash:E9BFDF319AD612048B093C525C542638
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:00:13:00
                                      Start date:20/10/2024
                                      Path:C:\Users\user\AppData\Roaming\kasper.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Users\user\AppData\Roaming\kasper.exe
                                      Imagebase:0x400000
                                      File size:74'240 bytes
                                      MD5 hash:E9BFDF319AD612048B093C525C542638
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:16.6%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:3
                                        Total number of Limit Nodes:0
                                        execution_graph 4411 7ffd9b8b212a 4412 7ffd9b8b2850 RtlSetProcessIsCritical 4411->4412 4414 7ffd9b8b2902 4412->4414

                                        Executed Functions

                                        Function 00007FFD9B8B3C8C Relevance: 4.1, Strings: 3, Instructions: 359COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 7ffd9b8b3c8c-7ffd9b8b3d1d 7 7ffd9b8b3d1f-7ffd9b8b3d3b 0->7 8 7ffd9b8b3d6d-7ffd9b8b3d9c 0->8 7->8 9 7ffd9b8b3e15 8->9 10 7ffd9b8b3d9e-7ffd9b8b3db5 8->10 17 7ffd9b8b3e1a-7ffd9b8b3e56 9->17 12 7ffd9b8b3dbb-7ffd9b8b3dc1 10->12 13 7ffd9b8b378a-7ffd9b8b3797 10->13 12->9 14 7ffd9b8b3dc3-7ffd9b8b3dda 12->14 15 7ffd9b8b3097 13->15 16 7ffd9b8b379d-7ffd9b8b3893 13->16 18 7ffd9b8b2d29-7ffd9b8b2d36 14->18 19 7ffd9b8b3de0-7ffd9b8b3de7 14->19 22 7ffd9b8b309c-7ffd9b8b30d0 15->22 74 7ffd9b8b3899-7ffd9b8b38fc 16->74 75 7ffd9b8b3f11-7ffd9b8b3f4d 16->75 18->15 20 7ffd9b8b2d3c-7ffd9b8b2d7a 18->20 24 7ffd9b8b3df1-7ffd9b8b3df8 19->24 20->12 30 7ffd9b8b2d80-7ffd9b8b2d9d call 7ffd9b8b1df8 20->30 29 7ffd9b8b30d8-7ffd9b8b311a 22->29 27 7ffd9b8b3e09 24->27 28 7ffd9b8b3dfa-7ffd9b8b3e04 call 7ffd9b8b0368 24->28 27->9 28->27 44 7ffd9b8b311c-7ffd9b8b313d 29->44 45 7ffd9b8b313f-7ffd9b8b3173 29->45 30->12 38 7ffd9b8b2da3-7ffd9b8b2ddd 30->38 48 7ffd9b8b2e3c-7ffd9b8b2e64 38->48 49 7ffd9b8b2ddf-7ffd9b8b2e32 38->49 52 7ffd9b8b317b-7ffd9b8b31bd 44->52 45->52 57 7ffd9b8b375c-7ffd9b8b3784 48->57 58 7ffd9b8b2e6a-7ffd9b8b2e77 48->58 49->48 72 7ffd9b8b31bf-7ffd9b8b31e0 52->72 73 7ffd9b8b31e2-7ffd9b8b3216 52->73 57->12 57->13 58->15 61 7ffd9b8b2e7d-7ffd9b8b2f50 58->61 124 7ffd9b8b2f55-7ffd9b8b2f6f 61->124 79 7ffd9b8b321e-7ffd9b8b3251 72->79 73->79 84 7ffd9b8b3f52-7ffd9b8b3f8e 74->84 97 7ffd9b8b3902-7ffd9b8b3965 74->97 75->84 96 7ffd9b8b3253-7ffd9b8b32b4 79->96 92 7ffd9b8b3f93-7ffd9b8b3fc7 84->92 98 7ffd9b8b3fcf 92->98 113 7ffd9b8b32b6-7ffd9b8b3335 call 7ffd9b8b0348 96->113 97->92 115 7ffd9b8b396b-7ffd9b8b3a3e 97->115 98->98 147 7ffd9b8b3337-7ffd9b8b3358 113->147 148 7ffd9b8b335a-7ffd9b8b338e 113->148 130 7ffd9b8b2f75-7ffd9b8b2fb3 124->130 131 7ffd9b8b3733-7ffd9b8b3739 124->131 130->124 143 7ffd9b8b2fb5-7ffd9b8b3072 call 7ffd9b8b0348 130->143 131->9 132 7ffd9b8b373f-7ffd9b8b3756 131->132 132->57 132->58 143->22 170 7ffd9b8b3074-7ffd9b8b3095 143->170 152 7ffd9b8b3396-7ffd9b8b342d 147->152 148->152 152->15 172 7ffd9b8b3433-7ffd9b8b35e3 call 7ffd9b8b0348 152->172 170->29 172->9 196 7ffd9b8b35e9-7ffd9b8b35eb 172->196 197 7ffd9b8b3e5b-7ffd9b8b3ea8 196->197 198 7ffd9b8b35f1-7ffd9b8b362f 196->198 210 7ffd9b8b3eaa-7ffd9b8b3ecb 197->210 211 7ffd9b8b3ed0-7ffd9b8b3f0c 197->211 198->17 207 7ffd9b8b3635-7ffd9b8b36c0 198->207 219 7ffd9b8b3710-7ffd9b8b372d 207->219 220 7ffd9b8b36c2-7ffd9b8b3709 207->220 210->211 211->75 219->131 220->219
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2963111149.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9b8b0000_gPEbJi1xiY.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: >$B$SAL_^
                                        • API String ID: 0-1260916914
                                        • Opcode ID: 2c2fb2cdd0560fb1fb98a2b16354a18dafcdce4b16a1f87aba60c481388d5f05
                                        • Instruction ID: a7617c2d65aef01165a31a68ba5f2bd1f5a3475ce7174db28e5119cfb619954f
                                        • Opcode Fuzzy Hash: 2c2fb2cdd0560fb1fb98a2b16354a18dafcdce4b16a1f87aba60c481388d5f05
                                        • Instruction Fuzzy Hash: 5AC17170B186198FEB98EF68C8A5BA9B7E1FF98300F14457EE00DD3291DE74A9418B41
                                        Function 00007FFD9B8B2C29 Relevance: 3.9, Strings: 2, Instructions: 1415COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 222 7ffd9b8b2c29-7ffd9b8b2ccc call 7ffd9b8b2108 call 7ffd9b8b1dc8 call 7ffd9b8b1dd8 234 7ffd9b8b2d00-7ffd9b8b2d23 222->234 235 7ffd9b8b2cce-7ffd9b8b2cfb call 7ffd9b8b1de8 222->235 239 7ffd9b8b2d29-7ffd9b8b2d36 234->239 240 7ffd9b8b3de0-7ffd9b8b3de7 234->240 235->234 241 7ffd9b8b3097 239->241 242 7ffd9b8b2d3c-7ffd9b8b2d7a 239->242 243 7ffd9b8b3df1-7ffd9b8b3df8 240->243 247 7ffd9b8b309c-7ffd9b8b30d0 241->247 248 7ffd9b8b3dbb-7ffd9b8b3dc1 242->248 249 7ffd9b8b2d80-7ffd9b8b2d9d call 7ffd9b8b1df8 242->249 245 7ffd9b8b3e09 243->245 246 7ffd9b8b3dfa-7ffd9b8b3e04 call 7ffd9b8b0368 243->246 251 7ffd9b8b3e15 245->251 246->245 254 7ffd9b8b30d8-7ffd9b8b311a 247->254 248->251 252 7ffd9b8b3dc3-7ffd9b8b3dda 248->252 249->248 257 7ffd9b8b2da3-7ffd9b8b2ddd 249->257 258 7ffd9b8b3e1a-7ffd9b8b3e56 251->258 252->239 252->240 267 7ffd9b8b311c-7ffd9b8b313d 254->267 268 7ffd9b8b313f-7ffd9b8b3173 254->268 265 7ffd9b8b2e3c-7ffd9b8b2e64 257->265 266 7ffd9b8b2ddf-7ffd9b8b2e32 257->266 273 7ffd9b8b375c-7ffd9b8b3784 265->273 274 7ffd9b8b2e6a-7ffd9b8b2e77 265->274 266->265 272 7ffd9b8b317b-7ffd9b8b31bd 267->272 268->272 291 7ffd9b8b31bf-7ffd9b8b31e0 272->291 292 7ffd9b8b31e2-7ffd9b8b3216 272->292 273->248 280 7ffd9b8b378a-7ffd9b8b3797 273->280 274->241 277 7ffd9b8b2e7d-7ffd9b8b2f50 274->277 336 7ffd9b8b2f55-7ffd9b8b2f6f 277->336 280->241 283 7ffd9b8b379d-7ffd9b8b3893 280->283 324 7ffd9b8b3899-7ffd9b8b38fc 283->324 325 7ffd9b8b3f11-7ffd9b8b3f4d 283->325 296 7ffd9b8b321e-7ffd9b8b3251 291->296 292->296 309 7ffd9b8b3253-7ffd9b8b32b4 296->309 327 7ffd9b8b32b6-7ffd9b8b3335 call 7ffd9b8b0348 309->327 334 7ffd9b8b3f52-7ffd9b8b3f8e 324->334 348 7ffd9b8b3902-7ffd9b8b3965 324->348 325->334 365 7ffd9b8b3337-7ffd9b8b3358 327->365 366 7ffd9b8b335a-7ffd9b8b338e 327->366 342 7ffd9b8b3f93-7ffd9b8b3fc7 334->342 343 7ffd9b8b2f75-7ffd9b8b2fb3 336->343 344 7ffd9b8b3733-7ffd9b8b3739 336->344 349 7ffd9b8b3fcf 342->349 343->336 358 7ffd9b8b2fb5-7ffd9b8b3072 call 7ffd9b8b0348 343->358 344->251 346 7ffd9b8b373f-7ffd9b8b3756 344->346 346->273 346->274 348->342 369 7ffd9b8b396b-7ffd9b8b3a3e 348->369 349->349 358->247 394 7ffd9b8b3074-7ffd9b8b3095 358->394 371 7ffd9b8b3396-7ffd9b8b342d 365->371 366->371 371->241 401 7ffd9b8b3433-7ffd9b8b35e3 call 7ffd9b8b0348 371->401 394->254 401->251 424 7ffd9b8b35e9-7ffd9b8b35eb 401->424 425 7ffd9b8b3e5b-7ffd9b8b3ea8 424->425 426 7ffd9b8b35f1-7ffd9b8b362f 424->426 438 7ffd9b8b3eaa-7ffd9b8b3ecb 425->438 439 7ffd9b8b3ed0-7ffd9b8b3f0c 425->439 426->258 435 7ffd9b8b3635-7ffd9b8b36c0 426->435 447 7ffd9b8b3710-7ffd9b8b372d 435->447 448 7ffd9b8b36c2-7ffd9b8b3709 435->448 438->439 439->325 447->344 448->447
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2963111149.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9b8b0000_gPEbJi1xiY.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: B$SAL_^
                                        • API String ID: 0-405448676
                                        • Opcode ID: 8afd685949e33bfaf183701f97c22ba0a8b44090d148355e9d943b3a821d609a
                                        • Instruction ID: a41545705de4d058916a6d1e04776be5369a714ac0fc7926d5eb9e9193024289
                                        • Opcode Fuzzy Hash: 8afd685949e33bfaf183701f97c22ba0a8b44090d148355e9d943b3a821d609a
                                        • Instruction Fuzzy Hash: 65A27470B18A198FEB98EF68C8A5BADB7E1FF98304F144579E04DD3295DF34A8418B41
                                        Function 00007FFD9B8B2839 Relevance: 1.6, APIs: 1, Instructions: 129COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 835 7ffd9b8b2839-7ffd9b8b2900 RtlSetProcessIsCritical 839 7ffd9b8b2908-7ffd9b8b293d 835->839 840 7ffd9b8b2902 835->840 840->839
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2963111149.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9b8b0000_gPEbJi1xiY.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: a2bd43200ca60f8de79c2113d8290bd9ea716f6f7a79a178b708ba3fc2efc21c
                                        • Instruction ID: d5e16923da183822b5ed97ad62655e06faca46cc3bdc13c3473ae757f21976dc
                                        • Opcode Fuzzy Hash: a2bd43200ca60f8de79c2113d8290bd9ea716f6f7a79a178b708ba3fc2efc21c
                                        • Instruction Fuzzy Hash: 7D31E03190C7588FDB28DBA8D845BE9BBE0FF55311F04426EE08AC3692CB246846CB91
                                        Function 00007FFD9B8B212A Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 842 7ffd9b8b212a-7ffd9b8b289a 845 7ffd9b8b28a2-7ffd9b8b2900 RtlSetProcessIsCritical 842->845 846 7ffd9b8b2908-7ffd9b8b293d 845->846 847 7ffd9b8b2902 845->847 847->846
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.2963111149.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_7ffd9b8b0000_gPEbJi1xiY.jbxd
                                        Similarity
                                        • API ID: CriticalProcess
                                        • String ID:
                                        • API String ID: 2695349919-0
                                        • Opcode ID: 6f38b8f0cf291ac978e57ce44ac3d4462a0a2eea930ac2d1378de3b872e46dab
                                        • Instruction ID: 042c780b912a49d6ba6ec03e20ed9dc04518c62607fb1a0c3ccb37fef467d769
                                        • Opcode Fuzzy Hash: 6f38b8f0cf291ac978e57ce44ac3d4462a0a2eea930ac2d1378de3b872e46dab
                                        • Instruction Fuzzy Hash: E831B031908A188FDB28DF98D845BF97BE0EF59311F14412EE09AD3691DB7468468B91

                                        Executed Functions

                                        Function 00007FFD9B966605 Relevance: .4, Instructions: 442COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754729505.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b874d7cc6c233907936ead4ff234c8f469cbd7a24913d2188baf5b53bf40089b
                                        • Instruction ID: 4656fd5f78518f5ee96761a203354e4734446279fafba4b644b8ee56c0ea29b3
                                        • Opcode Fuzzy Hash: b874d7cc6c233907936ead4ff234c8f469cbd7a24913d2188baf5b53bf40089b
                                        • Instruction Fuzzy Hash: FED15632A1FACDAFEB659BA858655F57BA0EF52310B0901FFD44CC70E3DA18A905C341
                                        Function 00007FFD9B89A0D3 Relevance: .3, Instructions: 259COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754236038.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ccbe5177d7e4327a864ef16c4ea5b6833f7af282609522a8f9ac7580ed5b4c1
                                        • Instruction ID: ba31f34024e2a8ac2b5d10fc0921faac52d7e0fbb8bbd713e8187a44755d3b59
                                        • Opcode Fuzzy Hash: 5ccbe5177d7e4327a864ef16c4ea5b6833f7af282609522a8f9ac7580ed5b4c1
                                        • Instruction Fuzzy Hash: 36118F6690F7CC5FDB138B3888690A47FB0EE5721170A42EBC488CB0B3D9295909C392
                                        Function 00007FFD9B899758 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754236038.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e394d3dcfcc17382066b68ef293588222c8260a7e8707d61f099b8e83d104aba
                                        • Instruction ID: 367eb0ca65bf13f26346ef6ff4edaba99a4f2412d9881818ca3200c7f8a20b9d
                                        • Opcode Fuzzy Hash: e394d3dcfcc17382066b68ef293588222c8260a7e8707d61f099b8e83d104aba
                                        • Instruction Fuzzy Hash: 1031E97191CB4C9FDF589F5CA84A6A97BE1FBA8311F00422FE449D3351DA30A955CBC2
                                        Function 00007FFD9B77E384 Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1753819535.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b77d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e0d5e69c5d06b9e16b21142bbd45fead7b410fd3c50bcb732f291487530ea3f
                                        • Instruction ID: 3c05c1c35963ce0affeac00f0149a9c12fd098e9f1c8726e6fc2873f3fecb4d7
                                        • Opcode Fuzzy Hash: 7e0d5e69c5d06b9e16b21142bbd45fead7b410fd3c50bcb732f291487530ea3f
                                        • Instruction Fuzzy Hash: 8441487190EBC84FE7568B3898959523FF0EF52314B1A02EFD088CB0B3D625B846C792
                                        Function 00007FFD9B89A62C Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754236038.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: df8dd1936f9d75064ba0ee0e695511f425270bd956b99af80ab0d532731f5211
                                        • Instruction ID: f9e69bed1d46da42faf78f8ebc17043a277b506266995a8be0c33dbad606c73d
                                        • Opcode Fuzzy Hash: df8dd1936f9d75064ba0ee0e695511f425270bd956b99af80ab0d532731f5211
                                        • Instruction Fuzzy Hash: 4B21F63190CB4C8FDB59DFAC984A7E97FF0EB96321F04416BD448C3166DA74941ACB92
                                        Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754236038.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                        Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754729505.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03c25f7b4e258aaf77c4157f7e85f336b294b674e7e659ef1b5bcb7dab8a74db
                                        • Instruction ID: e314bb0f3ef87660c06ba1f9d7cdd65e2b489c174e1039fdf6e055e440b945d7
                                        • Opcode Fuzzy Hash: 03c25f7b4e258aaf77c4157f7e85f336b294b674e7e659ef1b5bcb7dab8a74db
                                        • Instruction Fuzzy Hash: D1F0BE32B0E5098FD769EB9CE4519E873E0EF6532071640BAE06DC72B3CA25EC41C741
                                        Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754729505.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 885fb8a14f478555a8d99fc53145adeb74282c2661e56567dd1411ad50b57dc2
                                        • Instruction ID: d3c4fad146726c0c2cea268cacae73a352c425a1c5b03887040f07780d0bf9c0
                                        • Opcode Fuzzy Hash: 885fb8a14f478555a8d99fc53145adeb74282c2661e56567dd1411ad50b57dc2
                                        • Instruction Fuzzy Hash: 3DF0BE32B0E5498FD769EB9CE0619A873E0FF0532070600BAE05DCB1A3CA26AC40C750
                                        Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754729505.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

                                        Non-executed Functions

                                        Function 00007FFD9B898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1754236038.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: M_^4$M_^7$M_^F$M_^J
                                        • API String ID: 0-622050427
                                        • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                        • Instruction ID: 67c483b31486e148cdd38e4893d325e3edbe53289e8afd099b86490093a99135
                                        • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                        • Instruction Fuzzy Hash: 9321C2A7708565DED30A7B7DBC189E93740CF9427878507F3E1AACB093F91860878AD0

                                        Executed Functions

                                        Function 00007FFD9B986605 Relevance: .4, Instructions: 439COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850774935.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1eca52d3cdb13e4ba1ee189169c655737638f133e3413d1aebd0b77efe560823
                                        • Instruction ID: 7a26013c8dec343958fb54985e61a8ba42e894422e9605a8e1f910186c9a23e3
                                        • Opcode Fuzzy Hash: 1eca52d3cdb13e4ba1ee189169c655737638f133e3413d1aebd0b77efe560823
                                        • Instruction Fuzzy Hash: C5D16732A1FECD1FEBA597A858655B57BA1EF12314B0901FED44DCB0E3D928A905C341
                                        Function 00007FFD9B79ED20 Relevance: .2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1849467229.00007FFD9B79D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B79D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b79d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9342209b2f9cb96771219e6d1d89f99bab9f09e860c0eee957bd6162ce63023
                                        • Instruction ID: c414319097deb64c13a9c472926e8edd980667b61d4b79c032e0c1ff93def457
                                        • Opcode Fuzzy Hash: b9342209b2f9cb96771219e6d1d89f99bab9f09e860c0eee957bd6162ce63023
                                        • Instruction Fuzzy Hash: 1351B07150EBC84FE7669B289855A623FF0EF56310B1506EFE088CB1B3D625E849C792
                                        Function 00007FFD9B8B9750 Relevance: .2, Instructions: 155COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850168209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f978e75612b563fd7e30a3e9ba507cff3ad5564b82424a0e67717596a5225c3e
                                        • Instruction ID: da0b98d8e98bcfa02f954e9fd6a74daa868c4b6b8efc82ead84a5d550cbbd354
                                        • Opcode Fuzzy Hash: f978e75612b563fd7e30a3e9ba507cff3ad5564b82424a0e67717596a5225c3e
                                        • Instruction Fuzzy Hash: 32410B7190DB888FDB199F6C9C1A6B97FE0FB59310F04416FD09883193CA646905CBC6
                                        Function 00007FFD9B8BA75C Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850168209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83c9b9d167d96f7a6b090f0c0d3d2cb42c51286d5c992243cb3a52e3cca6182c
                                        • Instruction ID: e41aa9d672992b8faf9d9290c38451b55749661dac2ff3142db4eafa14e5e70e
                                        • Opcode Fuzzy Hash: 83c9b9d167d96f7a6b090f0c0d3d2cb42c51286d5c992243cb3a52e3cca6182c
                                        • Instruction Fuzzy Hash: C8310A3190DB8C8FDB59DFAC98596E97FE0EB66321F04416FD088C7163D974580ACB91
                                        Function 00007FFD9B8BA0FB Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850168209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f16ac9ba751cbe3191e234ce7ee9529c26c08a3ef6b3f66eb59ad434073967e
                                        • Instruction ID: 2af3152222be46b6893ed8c4512d1e9e4eb5739de2be1625ab60b453c86e0af4
                                        • Opcode Fuzzy Hash: 9f16ac9ba751cbe3191e234ce7ee9529c26c08a3ef6b3f66eb59ad434073967e
                                        • Instruction Fuzzy Hash: 1801F9B6949ADD1FDB51DF3CA8B40D57FE0FF29210B0601B7E449C7172EA2055098BC1
                                        Function 00007FFD9B8B33B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850168209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                        • Instruction ID: 9bdfda7ff094c016ee29611a0f36b44afefaafe4c9d5040173e090ca4ad0f1af
                                        • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                        • Instruction Fuzzy Hash: 8701A73120CB0C4FD748EF0CE451AA6B3E0FB89320F10056EE58AC36A1DA32E882CB41
                                        Function 00007FFD9B98414D Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850774935.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99fd91cb515ada6788d3ffa6aa23fe4237c4c68d9a4c3b03b61efd149b110752
                                        • Instruction ID: 6b1ba46bf2abdc98baf88a7f3dac7d1b5206ac34a9200397f09564390efac6e1
                                        • Opcode Fuzzy Hash: 99fd91cb515ada6788d3ffa6aa23fe4237c4c68d9a4c3b03b61efd149b110752
                                        • Instruction Fuzzy Hash: 52F0BE32B0E9098FD769EA5CE4519A873E0EF6532071600BAE06DC72B3CA35EC40C741
                                        Function 00007FFD9B984400 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850774935.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b45edc6532ebce5847224356fca105ed7bf18fbe3678d62f2852250c64b07a3
                                        • Instruction ID: 54a4955ff6810b7be3162a19ad9695516e8b7c9470f6c1fb258255c49ebc4d48
                                        • Opcode Fuzzy Hash: 6b45edc6532ebce5847224356fca105ed7bf18fbe3678d62f2852250c64b07a3
                                        • Instruction Fuzzy Hash: 04F05E32B0E9498FD768EA6CE4619A877E0FF45324B5600BAE15DCB5A3DA25AC40C750
                                        Function 00007FFD9B9841D1 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850774935.00007FFD9B980000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B980000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b980000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction ID: f848ec0fbad17b8826867ba541709e28433eada1e34e052a78df0744753283af
                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction Fuzzy Hash: F1E01A31B1C8089FDAB9DA4CE051AA973E1EFA832171241BBD14EC7671CA32ED518B80

                                        Non-executed Functions

                                        Function 00007FFD9B8B8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.1850168209.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_7ffd9b8b0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                        • API String ID: 0-2350917820
                                        • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                        • Instruction ID: 7b0f662977cc6164e679e680c4340df685633a90ebfc5ad741c77043b032a0a1
                                        • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                        • Instruction Fuzzy Hash: EB21F6B3B085259ACB0A37BDBC559E87791DF5437C34502F3E029DF193ED58A48B8A80

                                        Executed Functions

                                        Function 00007FFD9B966605 Relevance: .4, Instructions: 427COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994937581.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9caaadd963d9c923db3a8101e06ee9e68995c7bfebe1686fb266ce58433b63dc
                                        • Instruction ID: 455d1a601d27363b5f78f3f94473d2b50f0c7f74d41a33d9767937ee84d94dc8
                                        • Opcode Fuzzy Hash: 9caaadd963d9c923db3a8101e06ee9e68995c7bfebe1686fb266ce58433b63dc
                                        • Instruction Fuzzy Hash: 11C14432A1FB8D9FEBA5ABA858645B57BE1EF52310B0901FFD45CC70E3DA18A805C341
                                        Function 00007FFD9B899738 Relevance: .1, Instructions: 143COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994048735.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f778d76d2202b940a9dccd8291db3e9d426e55274863f8b700cce3a2debf7956
                                        • Instruction ID: 42222700dd8095880aac8bf9dc34683a6e9984e3208b900a1df0dd6948e835a3
                                        • Opcode Fuzzy Hash: f778d76d2202b940a9dccd8291db3e9d426e55274863f8b700cce3a2debf7956
                                        • Instruction Fuzzy Hash: ED412971A0DB489FDB589F5C9C4A6A87BE0FB98710F50816FE04DD3292DB20B94687C2
                                        Function 00007FFD9B77F364 Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1993195585.00007FFD9B77D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B77D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b77d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69b7d31eb4792e7bd9932f7c63a8bcb6868b2a198ba3e3c2f220d140f96f2e3a
                                        • Instruction ID: 28c6f7525cfadff6f234c75832049adb8b768a2cc1388cc7a466d6339f00a678
                                        • Opcode Fuzzy Hash: 69b7d31eb4792e7bd9932f7c63a8bcb6868b2a198ba3e3c2f220d140f96f2e3a
                                        • Instruction Fuzzy Hash: DF41157150EBC45FE756CB29A8919523FF0EF56320B1606DFD088CB1B3D625A846C792
                                        Function 00007FFD9B89A038 Relevance: .1, Instructions: 118COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994048735.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41486fbce80d226073cbcb88e9f930b8dfcea88f59b75a68b0e7d0f609e25f2c
                                        • Instruction ID: 54cb4f983a12b9fceb0eaaa69a2a66209ffc0bcc9eba0cae108df213032ec382
                                        • Opcode Fuzzy Hash: 41486fbce80d226073cbcb88e9f930b8dfcea88f59b75a68b0e7d0f609e25f2c
                                        • Instruction Fuzzy Hash: 8F316E67A0BA9D9BFF165F6CAC760E43F60FF15718B0902B3C498870A3FD2525468681
                                        Function 00007FFD9B89A47C Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994048735.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13d49c347917cb1b6b83a3fa2904e816b6e70b838b466424d2ea7dcbb49f0936
                                        • Instruction ID: 915203c03446eadb23674b93f7ee375e50189b2fb2716a107cd4a319b449d605
                                        • Opcode Fuzzy Hash: 13d49c347917cb1b6b83a3fa2904e816b6e70b838b466424d2ea7dcbb49f0936
                                        • Instruction Fuzzy Hash: DE21283090CB4C8FDB59DBAC984A7E97FE0EB9A320F04416FD048C3162DA749416CB92
                                        Function 00007FFD9B966806 Relevance: .1, Instructions: 66COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994937581.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b30163f2826c70148ca3d368d18bc3b5387d15e34f5f5e9cf11eacadff4551a
                                        • Instruction ID: f0d438b0ba4b4168dee0c760b10944fcaa3fa9a31db43209caae795d40b6c037
                                        • Opcode Fuzzy Hash: 4b30163f2826c70148ca3d368d18bc3b5387d15e34f5f5e9cf11eacadff4551a
                                        • Instruction Fuzzy Hash: 85112772B1EA8E9FEBA4DBAC90A46B8B7D1EF58314F1500BED04DC71D7CD2568458350
                                        Function 00007FFD9B8933B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994048735.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction ID: 790f53b18bf535405e1566ca4fc67868e3ace26fd97990e01e1bad52e7daa871
                                        • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                        • Instruction Fuzzy Hash: 7401A73020CB0C4FDB48EF0CE451AA6B7E0FB89320F10056DE58AC36A1DA32E882CB41
                                        Function 00007FFD9B96414D Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994937581.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53a3b3eacdc12be3296e42826da989b2ae9999654d569a005520f56acb3de775
                                        • Instruction ID: 0153b8ae3c733dac817b20e708955a98b3bf3a38e40fc400b4a512ea3367eda4
                                        • Opcode Fuzzy Hash: 53a3b3eacdc12be3296e42826da989b2ae9999654d569a005520f56acb3de775
                                        • Instruction Fuzzy Hash: 9EF0BE32B0E5098FD769EB9CE4529E873E0EF6532071600BAE06DC72B3CA25EC41C741
                                        Function 00007FFD9B964400 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994937581.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3da7805f81c2f4cad7e52394691d3cdd9c25c011376893865b7ddcdf4f667c89
                                        • Instruction ID: 48c4336c3fb733f7cd47708e9aef9535a38e41c4978b7d44c4019ea643c3adf0
                                        • Opcode Fuzzy Hash: 3da7805f81c2f4cad7e52394691d3cdd9c25c011376893865b7ddcdf4f667c89
                                        • Instruction Fuzzy Hash: CAF0BE32B0E5498FD769EB9CE0629E873E0FF0532070600BAE05DCB1A3CA26AC40C750
                                        Function 00007FFD9B9641D1 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994937581.00007FFD9B960000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B960000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b960000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction ID: c307260e9cdd7784a7691b08768f083a0fcbbbef75ed33e7c580895a31fc6b9b
                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction Fuzzy Hash: ADE01A31B1C808DFDA78DA8CE051AE973E1EBA832171241BBD14EC7671CA22ED518B80

                                        Non-executed Functions

                                        Function 00007FFD9B898BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000007.00000002.1994048735.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_7_2_7ffd9b890000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: M_^4$M_^7$M_^F$M_^J
                                        • API String ID: 0-622050427
                                        • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                        • Instruction ID: 67c483b31486e148cdd38e4893d325e3edbe53289e8afd099b86490093a99135
                                        • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                        • Instruction Fuzzy Hash: 9321C2A7708565DED30A7B7DBC189E93740CF9427878507F3E1AACB093F91860878AD0

                                        Executed Functions

                                        Function 00007FFD9B87644D Relevance: .7, Instructions: 712COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2206101332.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a83b0e788a1234989115ad6e8f71657beb8ed3df89b9a8a38e255cbadd28f8f0
                                        • Instruction ID: 79b47e1678eabdbcbf051a1df2cb511ab71348443b4d04db988a80186ed65c9e
                                        • Opcode Fuzzy Hash: a83b0e788a1234989115ad6e8f71657beb8ed3df89b9a8a38e255cbadd28f8f0
                                        • Instruction Fuzzy Hash: A4D19270A18A4D8FDF98DF58C495AE97BE1FF68304F1541AAD40DD72A5CB34E881CB81
                                        Function 00007FFD9B946605 Relevance: .4, Instructions: 439COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2208184345.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8043b9b1bc49b0fc82164ecce113136a698036eae076cf1851f2d174cbcaa20a
                                        • Instruction ID: 9aac060657479cd12fe8f2f424349a30cf142f0f56a4ce27b3975f8244958e6c
                                        • Opcode Fuzzy Hash: 8043b9b1bc49b0fc82164ecce113136a698036eae076cf1851f2d174cbcaa20a
                                        • Instruction Fuzzy Hash: 32D156B2B1FBDD1FE7A59BA848645B57BA2EF12314B0901FED04CCB1E3DA18A905C341
                                        Function 00007FFD9B879750 Relevance: .1, Instructions: 143COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2206101332.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11b821d3de84ef453f233cc7c59dbce0431305eca1eaa46a024f31a12ae65388
                                        • Instruction ID: d5264812b2fb914d2aeacbfba76eb0df2a49a6cf47fc67bebaf14634c6fd490a
                                        • Opcode Fuzzy Hash: 11b821d3de84ef453f233cc7c59dbce0431305eca1eaa46a024f31a12ae65388
                                        • Instruction Fuzzy Hash: 6B413D7190DB888FDB19DF5C9C4A6A97FE0FB59310F04416FE48983292DA74A905CBC6
                                        Function 00007FFD9B75EB89 Relevance: .1, Instructions: 122COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2204104510.00007FFD9B75D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B75D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b75d000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 899c9cc8234abfbee05f60b58e5351f76f4ac9adbac13433392fe2922d40bc5e
                                        • Instruction ID: f79eb738b3320a4a76478ed57de6f23c9c891fe95978741c9cd0e202033f10f0
                                        • Opcode Fuzzy Hash: 899c9cc8234abfbee05f60b58e5351f76f4ac9adbac13433392fe2922d40bc5e
                                        • Instruction Fuzzy Hash: 3B414A7180EBC84FE7568B3898559623FF0EF56321B1606DFD0C9CB1B3D625A846C792
                                        Function 00007FFD9B87B258 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2206101332.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46448eadb9a02edf6801a8599fe640a534e7ab5027df9cbefd04d4cddd7e961d
                                        • Instruction ID: 0a40a40e95fee0a13222531fc919f5124fe8a841c89716d6f300d9a3a097f72a
                                        • Opcode Fuzzy Hash: 46448eadb9a02edf6801a8599fe640a534e7ab5027df9cbefd04d4cddd7e961d
                                        • Instruction Fuzzy Hash: 9221D67190C64C8FEB58DF9C984A7E97BE1EB96331F04426FD049C3162D670984ACB91
                                        Function 00007FFD9B8733B5 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2206101332.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                        • Instruction ID: 240e77624845bd21eb498471991253802ac2a52bcd73a2482a697d82a952278d
                                        • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                                        • Instruction Fuzzy Hash: 9201A73020CB0C4FD748EF0CE451AA6B3E0FB89324F10056DE58AC36A1DA32E882CB42
                                        Function 00007FFD9B87A0FB Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2206101332.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c78abd235ffb33a018cb737e93065d2baff78b2c0e0a22c8c724295f99f44c56
                                        • Instruction ID: 5be9294323744f9ba3c8eb001f0c6c5c22cd664eb35a243e978b8b2427969bda
                                        • Opcode Fuzzy Hash: c78abd235ffb33a018cb737e93065d2baff78b2c0e0a22c8c724295f99f44c56
                                        • Instruction Fuzzy Hash: A4F04236B1EA8C5FEB51DF1CD8650D47FA0FF99205B0501BBD449C7061DA315948C7D1
                                        Function 00007FFD9B94414D Relevance: .0, Instructions: 37COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2208184345.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2b42079e90ecc720da485afb668521151472658728d5444d237c5969af5f933
                                        • Instruction ID: cf5f5b98c8dee12c3dbb98cf33e2f2c1cab60c2f5c7b0bda42d27e718e6c3790
                                        • Opcode Fuzzy Hash: a2b42079e90ecc720da485afb668521151472658728d5444d237c5969af5f933
                                        • Instruction Fuzzy Hash: ADF0B432B0D5094FD768EA5CE4529E473E1EF6932071500BAE06DC71B3CE25EC40C741
                                        Function 00007FFD9B944400 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2208184345.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d43361c369ac550b9e8f706584a2a0dce7f75f54ff8567b87dd189de1fe823f
                                        • Instruction ID: 43f9d4147e275cc7b177939a46e45437f8ff4ed100009aa76652352685597267
                                        • Opcode Fuzzy Hash: 4d43361c369ac550b9e8f706584a2a0dce7f75f54ff8567b87dd189de1fe823f
                                        • Instruction Fuzzy Hash: E0F0BE32B0E5498FD768EA5CE0619A873E0FF0532470600BAE16DCB5A3CA25AC40C740
                                        Function 00007FFD9B9441D1 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2208184345.00007FFD9B940000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B940000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b940000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction ID: fa26efae6fe42842cdbf314e9f6a501e304cd814d59014bdd6b30dca281e3e6a
                                        • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                        • Instruction Fuzzy Hash: 98E01A31B1C8189FDA78DA4CE051AA973E2EBA932171241BBD14EC7671CA22ED518B80

                                        Non-executed Functions

                                        Function 00007FFD9B878BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000B.00000002.2206101332.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_11_2_7ffd9b870000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: O_^8$O_^<$O_^?$O_^J$O_^K$O_^N$O_^Q$O_^Y
                                        • API String ID: 0-3814653101
                                        • Opcode ID: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                                        • Instruction ID: 92b9401db0bb30895f639231a5467940bd5095e34f18903a1f3666908ef1c7bf
                                        • Opcode Fuzzy Hash: 767dc838b8e3e9580db012fdc19fa58d9d18fd9b3128ba9e1fe4c8e4c2756401
                                        • Instruction Fuzzy Hash: DF21F2B3A145218AD30A36BDBC959D86780DF9477A34901F3E02ECF393E918A48B8680

                                        Executed Functions

                                        Function 00007FFD9B8A0FFA Relevance: .6, Instructions: 581COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2283244518.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aea8998690cac9bc7985487a279491087f9548af439e92691e3b9e1148e5237a
                                        • Instruction ID: 3583f9538391c6b4a1b921061b0a41820f10a14804089e65c914cf4c60156b0c
                                        • Opcode Fuzzy Hash: aea8998690cac9bc7985487a279491087f9548af439e92691e3b9e1148e5237a
                                        • Instruction Fuzzy Hash: 04F10461B1994A4FEB58F7789879AF977E2FF88300F4405B9E01EC72E7DD28A8418351
                                        Function 00007FFD9B8A0BEE Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2283244518.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e15af68b46c3c8f9d6337f75e69807059dd43a38c966f62afe14ee4e5ca3874
                                        • Instruction ID: ddc8fa58063dceedbe51daddaac11712649c57a7549ca0eaa8dd508469468980
                                        • Opcode Fuzzy Hash: 2e15af68b46c3c8f9d6337f75e69807059dd43a38c966f62afe14ee4e5ca3874
                                        • Instruction Fuzzy Hash: 19516D21B1EACA0FE3A6A77848256797BE1DF8A614B0900FBD08CC71E7DD1D6D468352
                                        Function 00007FFD9B8A0949 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2283244518.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3f51041131ebac9764540262be7f59303a015ca9f6ce3cf5f1237d55f45681b
                                        • Instruction ID: 80a2ec9f9347f607dc6facf44f8b98bf39f2c6c0315e9ef0de619ef0bf8d3a05
                                        • Opcode Fuzzy Hash: b3f51041131ebac9764540262be7f59303a015ca9f6ce3cf5f1237d55f45681b
                                        • Instruction Fuzzy Hash: B131A470B18A4E8FEB48EBA898656FE77A1FF88300F540579D40DC32D6DE3868458751
                                        Function 00007FFD9B8A178C Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2283244518.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d009e67cd8d247aa5481f7614bdc7a9fbe2adf1fd32b0d370b8571a53c3162c
                                        • Instruction ID: 78df4075afd5dd6d55b10b6e80ce86cde63e5dc3ddfe6ae1556ae413f9139364
                                        • Opcode Fuzzy Hash: 6d009e67cd8d247aa5481f7614bdc7a9fbe2adf1fd32b0d370b8571a53c3162c
                                        • Instruction Fuzzy Hash: ED219521B1C9484FE788EB2C982A778B6D2EF9D705F0545BEE04DC32EBDD689C418741
                                        Function 00007FFD9B8A0A89 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2283244518.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f17084d2b7e7c111ae42ebc25121ab6f0cbd5882d55ef08dde776dfade8f90a
                                        • Instruction ID: 0073ad63cbb5a094651a5d78517528135e2036ca6f671b6fb01a974569054646
                                        • Opcode Fuzzy Hash: 4f17084d2b7e7c111ae42ebc25121ab6f0cbd5882d55ef08dde776dfade8f90a
                                        • Instruction Fuzzy Hash: 2021D351B1DA4A4FE74977B85C297B977D2EF68700F0502BBE04CC32D7ED18A9428392
                                        Function 00007FFD9B8A1881 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2283244518.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2e9cef479ea771305a07551883b551e43acf122f402bde864cf0595696bd332f
                                        • Instruction ID: 7d819f97fa04b35f82a74e1170d6339f43b56448f4e4b854cb92dd9c438504fc
                                        • Opcode Fuzzy Hash: 2e9cef479ea771305a07551883b551e43acf122f402bde864cf0595696bd332f
                                        • Instruction Fuzzy Hash: 16014915B0DB990EF755B3786C65475BFE0DF87260B0905BBE888C70E7E8185A818392
                                        Function 00007FFD9B8A0B67 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.2283244518.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f5cd29e5e42cb77f9dfc9b98285aed3d0d7ace484231a414954b8d74f5d9ede
                                        • Instruction ID: f57f8c2f41f50caa38c73bd59b2d040b5dc6f44aa4581dc1726b7aee50fc131a
                                        • Opcode Fuzzy Hash: 6f5cd29e5e42cb77f9dfc9b98285aed3d0d7ace484231a414954b8d74f5d9ede
                                        • Instruction Fuzzy Hash: E0E03920B1490D8FEF44ABA898592FCB2E2EF9C201F10007BD50DD3296DE2858428351

                                        Executed Functions

                                        Function 00007FFD9B890FFA Relevance: .6, Instructions: 594COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000011.00000002.2360058370.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_17_2_7ffd9b890000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97b6f27ecd7763e79c94e4303cf1f3ad97e1b410dacb0b6c8bb1a4f0ecdd2236
                                        • Instruction ID: bbeb4955cd27d784f9f658f3961acc1ab110a5419c77425983704883cc36eca7
                                        • Opcode Fuzzy Hash: 97b6f27ecd7763e79c94e4303cf1f3ad97e1b410dacb0b6c8bb1a4f0ecdd2236
                                        • Instruction Fuzzy Hash: 30F10661B1995A8FEB59F7789876AF87BE2FF98304F4405B9D00EC72D7DD28A8018341
                                        Function 00007FFD9B890BEE Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000011.00000002.2360058370.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_17_2_7ffd9b890000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ab5144d408b3b54816393a56ab973cb90da53ca4337d3a1d9db1baa1f7d7b74
                                        • Instruction ID: 86e383fb0f6991f8e06f60b10052c0a488735b7d20c75546e0900419f10db0a2
                                        • Opcode Fuzzy Hash: 2ab5144d408b3b54816393a56ab973cb90da53ca4337d3a1d9db1baa1f7d7b74
                                        • Instruction Fuzzy Hash: E6515A21B1EBCA0FE7A6A77848256747FE1EF8A614B0900FBD098C71E7DC1D6C428352
                                        Function 00007FFD9B890949 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000011.00000002.2360058370.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_17_2_7ffd9b890000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7250baaba871eb186d776c45050a4177d80244165d24e7832c0053e86e7af714
                                        • Instruction ID: b02b2db7b06e8856c088e227a13f5491fdbbb5ee5df5a558db27dc4da7724e96
                                        • Opcode Fuzzy Hash: 7250baaba871eb186d776c45050a4177d80244165d24e7832c0053e86e7af714
                                        • Instruction Fuzzy Hash: 19319570B18A0E8FDB48EBA8D8666FD7BE1FF98310F5405B9D119C72D6DE3868418741
                                        Function 00007FFD9B89178C Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000011.00000002.2360058370.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_17_2_7ffd9b890000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b115c243ea79b8ad0e2baa7d56080ee6177a173380980e4897f3ce3697f82a3
                                        • Instruction ID: 27ef65759fe80b8b191908ea451156e26933d77328ddadea6a519dcb5d84116e
                                        • Opcode Fuzzy Hash: 7b115c243ea79b8ad0e2baa7d56080ee6177a173380980e4897f3ce3697f82a3
                                        • Instruction Fuzzy Hash: FC218421B1C9484FEB88EB2C9826678B6D2EF98705F0545BEE04EC32DBDD689C418741
                                        Function 00007FFD9B890A89 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000011.00000002.2360058370.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_17_2_7ffd9b890000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d065fb18db82da9cb49da72f688d5164750f32f32c86dfe17873f4f5a232e5e7
                                        • Instruction ID: a5ae542bf6149bdb833d25c2ea33f0deb8abc7665a95e0a32bb40a227cd18b00
                                        • Opcode Fuzzy Hash: d065fb18db82da9cb49da72f688d5164750f32f32c86dfe17873f4f5a232e5e7
                                        • Instruction Fuzzy Hash: 7921D651B19A4A4FEB5977B85C297B97BD1EF68700F0502BBF05CC32D7DD18A9418381
                                        Function 00007FFD9B891881 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000011.00000002.2360058370.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_17_2_7ffd9b890000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51fc2a4abe4c3ee50b5ce97ff62a7d18684c9141634e745886baec7ce4c3f8e9
                                        • Instruction ID: e7d761364ba0cbcf2abf00803f294f93c2b508a8d4968a8a458f88fff04e9873
                                        • Opcode Fuzzy Hash: 51fc2a4abe4c3ee50b5ce97ff62a7d18684c9141634e745886baec7ce4c3f8e9
                                        • Instruction Fuzzy Hash: D9016D16B0D7990EFB51B3786C65471BFE0DFD6360B0D05FBE4C9C60A3D8185A818382
                                        Function 00007FFD9B890B68 Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000011.00000002.2360058370.00007FFD9B890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B890000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_17_2_7ffd9b890000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac27cf5d14763674b5ad052c0d0171ff13a6fe3c0bf3e0e3f85f75fd1411008c
                                        • Instruction ID: 63d8984c42a121edeac92a2c5ce554c4f7a0835fdcd8824240436ab0f263c628
                                        • Opcode Fuzzy Hash: ac27cf5d14763674b5ad052c0d0171ff13a6fe3c0bf3e0e3f85f75fd1411008c
                                        • Instruction Fuzzy Hash: 1BE01261B1491D8FEF45FBACA8557FCB2D2EB9C211F1001B7D51DD32DADE2858428391

                                        Executed Functions

                                        Function 00007FFD9B8A0FFA Relevance: .6, Instructions: 581COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2927409376.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99c9fef0b2d1c7457b9e4e65e1cf8e1791026aea73e151d030c0e53309aca539
                                        • Instruction ID: f2aa738a999921eea63708b77a2fc0e71f9df4772cf9f60edbd9930042ed1f24
                                        • Opcode Fuzzy Hash: 99c9fef0b2d1c7457b9e4e65e1cf8e1791026aea73e151d030c0e53309aca539
                                        • Instruction Fuzzy Hash: 87F1E261B1994A4BE758FB789879AFC77E2FF88340F4404B9E01EC72D7ED28A8418351
                                        Function 00007FFD9B8A0BEE Relevance: .2, Instructions: 203COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2927409376.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d26f39df9862ae6feeb756b04b8a41752954e5def32520eb11f40aa41f28f31c
                                        • Instruction ID: 0c75fee3c174491b28711e5fc1face52912921638f996c0a6638ce7cb8dd4af7
                                        • Opcode Fuzzy Hash: d26f39df9862ae6feeb756b04b8a41752954e5def32520eb11f40aa41f28f31c
                                        • Instruction Fuzzy Hash: 37516D21B1EACA0FE3A6A77848256787BE1DF8A614B0900FFD08CC71E7DD1D6D468352
                                        Function 00007FFD9B8A0949 Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2927409376.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7928f4db2d98af3cd42aea5ffec8be9a2b10e63e43a35041d8447a2184e269e1
                                        • Instruction ID: 4f869f653c8b77d2d56e15bc4f945698c2ae8b4ca432f43197bb03652f54039a
                                        • Opcode Fuzzy Hash: 7928f4db2d98af3cd42aea5ffec8be9a2b10e63e43a35041d8447a2184e269e1
                                        • Instruction Fuzzy Hash: 4A318170B19A0E8FEB48EBA898796FDB7E1FF88300F540479D019C32D6DE3868428751
                                        Function 00007FFD9B8A0A89 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2927409376.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f17084d2b7e7c111ae42ebc25121ab6f0cbd5882d55ef08dde776dfade8f90a
                                        • Instruction ID: 0073ad63cbb5a094651a5d78517528135e2036ca6f671b6fb01a974569054646
                                        • Opcode Fuzzy Hash: 4f17084d2b7e7c111ae42ebc25121ab6f0cbd5882d55ef08dde776dfade8f90a
                                        • Instruction Fuzzy Hash: 2021D351B1DA4A4FE74977B85C297B977D2EF68700F0502BBE04CC32D7ED18A9428392
                                        Function 00007FFD9B8A0B67 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000013.00000002.2927409376.00007FFD9B8A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_19_2_7ffd9b8a0000_kasper.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6f5cd29e5e42cb77f9dfc9b98285aed3d0d7ace484231a414954b8d74f5d9ede
                                        • Instruction ID: f57f8c2f41f50caa38c73bd59b2d040b5dc6f44aa4581dc1726b7aee50fc131a
                                        • Opcode Fuzzy Hash: 6f5cd29e5e42cb77f9dfc9b98285aed3d0d7ace484231a414954b8d74f5d9ede
                                        • Instruction Fuzzy Hash: E0E03920B1490D8FEF44ABA898592FCB2E2EF9C201F10007BD50DD3296DE2858428351