Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546398
MD5:f5d31bef57f4d69af9f1b44a6f8f8d5e
SHA1:2ffa0bb9f123f6e8cda8ef398d33c1c71a01961e
SHA256:88dbbdcc10e16ae14103f8a0cbcd2d692668fc78efcc36a406880ff1e6b5fac0
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Powershell create lnk in startup
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Disables UAC (registry)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Potentially malicious time measurement code found
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5988 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F5D31BEF57F4D69AF9F1B44A6F8F8D5E)
    • conhost.exe (PID: 5996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5432 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • explorer.exe (PID: 5600 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
      • powershell.exe (PID: 368 cmdline: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 3092 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
    • WerFault.exe (PID: 940 cmdline: C:\Windows\system32\WerFault.exe -u -p 5988 -s 1176 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • explorer.exe (PID: 2956 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    Process Memory Space: file.exe PID: 5988JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: file.exe PID: 5988JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
        Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 368, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5988, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 7116, ProcessName: powershell.exe
        Sigma detected: Powershell Defender Exclusion
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5988, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 7116, ProcessName: powershell.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 368, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5988, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 7116, ProcessName: powershell.exe

        Persistence and Installation Behavior

        barindex
        Sigma detected: Powershell create lnk in startup
        Source: Process startedAuthor: Joe Security: Data: Command: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()", CommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\explorer.exe", ParentImage: C:\Windows\explorer.exe, ParentProcessId: 5600, ParentProcessName: explorer.exe, ProcessCommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()", ProcessId: 368, ProcessName: powershell.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-31T20:57:11.715249+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549714TCP
        2024-10-31T20:57:49.883637+010020229301A Network Trojan was detected4.245.163.56443192.168.2.549902TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 26%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: file.exeJoe Sandbox ML: detected

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR

        Bitcoin Miner

        barindex
        Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
        Source: C:\Windows\explorer.exeCode function: 5_2_00434800 LoadLibraryExW,5_2_00434800
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: mscorlib.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdbq1 source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.pdb0 source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Management.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Management.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Core.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: C:\Windows\explorer.exeCode function: 4x nop then cmp rdx, rbx5_2_0040C2E0
        Source: C:\Windows\explorer.exeCode function: 4x nop then cmp rdx, 40h5_2_00421420
        Source: C:\Windows\explorer.exeCode function: 4x nop then shr r10, 0Dh5_2_0042C640
        Source: C:\Windows\explorer.exeCode function: 4x nop then shr r10, 0Dh5_2_0042DAC0
        Source: C:\Windows\explorer.exeCode function: 4x nop then lock or byte ptr [rdx], dil5_2_00421B60

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 185.196.10.218 9889Jump to behavior
        Source: global trafficTCP traffic: 192.168.2.5:49709 -> 185.196.10.218:9889
        Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49714
        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49902
        Source: powershell.exe, 00000007.00000002.2093632871.000001DF101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF018E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF00231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF00231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF00231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF00C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000007.00000002.2093632871.000001DF101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF018E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F3F6890_2_00007FF848F3F689
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F3BEB40_2_00007FF848F3BEB4
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F3DABA0_2_00007FF848F3DABA
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F456F20_2_00007FF848F456F2
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F350F10_2_00007FF848F350F1
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F34F200_2_00007FF848F34F20
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F3C7200_2_00007FF848F3C720
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F32FF00_2_00007FF848F32FF0
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F311F20_2_00007FF848F311F2
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF8490000010_2_00007FF849000001
        Source: C:\Windows\explorer.exeCode function: 5_2_0040D2005_2_0040D200
        Source: C:\Windows\explorer.exeCode function: 5_2_004405405_2_00440540
        Source: C:\Windows\explorer.exeCode function: 5_2_004479A05_2_004479A0
        Source: C:\Windows\explorer.exeCode function: 5_2_00436A205_2_00436A20
        Source: C:\Windows\explorer.exeCode function: 5_2_00429B205_2_00429B20
        Source: C:\Windows\explorer.exeCode function: 5_2_00428D205_2_00428D20
        Source: C:\Windows\explorer.exeCode function: 5_2_0040DDA05_2_0040DDA0
        Source: C:\Windows\explorer.exeCode function: 5_2_00416EE05_2_00416EE0
        Source: C:\Windows\explorer.exeCode function: 5_2_00401FE05_2_00401FE0
        Source: C:\Windows\explorer.exeCode function: 5_2_0041A0205_2_0041A020
        Source: C:\Windows\explorer.exeCode function: 5_2_0044F1605_2_0044F160
        Source: C:\Windows\explorer.exeCode function: 5_2_004421805_2_00442180
        Source: C:\Windows\explorer.exeCode function: 5_2_0041F1A05_2_0041F1A0
        Source: C:\Windows\explorer.exeCode function: 5_2_0043E2205_2_0043E220
        Source: C:\Windows\explorer.exeCode function: 5_2_0040A4405_2_0040A440
        Source: C:\Windows\explorer.exeCode function: 5_2_0047C4605_2_0047C460
        Source: C:\Windows\explorer.exeCode function: 5_2_004654205_2_00465420
        Source: C:\Windows\explorer.exeCode function: 5_2_0041B4805_2_0041B480
        Source: C:\Windows\explorer.exeCode function: 5_2_004524805_2_00452480
        Source: C:\Windows\explorer.exeCode function: 5_2_0043A5205_2_0043A520
        Source: C:\Windows\explorer.exeCode function: 5_2_0042C6405_2_0042C640
        Source: C:\Windows\explorer.exeCode function: 5_2_004266205_2_00426620
        Source: C:\Windows\explorer.exeCode function: 5_2_004236C05_2_004236C0
        Source: C:\Windows\explorer.exeCode function: 5_2_0045E7205_2_0045E720
        Source: C:\Windows\explorer.exeCode function: 5_2_004337C05_2_004337C0
        Source: C:\Windows\explorer.exeCode function: 5_2_0043D8C05_2_0043D8C0
        Source: C:\Windows\explorer.exeCode function: 5_2_004539405_2_00453940
        Source: C:\Windows\explorer.exeCode function: 5_2_0040E9605_2_0040E960
        Source: C:\Windows\explorer.exeCode function: 5_2_0041B9A05_2_0041B9A0
        Source: C:\Windows\explorer.exeCode function: 5_2_00430A405_2_00430A40
        Source: C:\Windows\explorer.exeCode function: 5_2_00427A605_2_00427A60
        Source: C:\Windows\explorer.exeCode function: 5_2_0044BA205_2_0044BA20
        Source: C:\Windows\explorer.exeCode function: 5_2_0042DAC05_2_0042DAC0
        Source: C:\Windows\explorer.exeCode function: 5_2_00415AE05_2_00415AE0
        Source: C:\Windows\explorer.exeCode function: 5_2_00467AA95_2_00467AA9
        Source: C:\Windows\explorer.exeCode function: 5_2_0042CB005_2_0042CB00
        Source: C:\Windows\explorer.exeCode function: 5_2_00403BE05_2_00403BE0
        Source: C:\Windows\explorer.exeCode function: 5_2_0042FCC05_2_0042FCC0
        Source: C:\Windows\explorer.exeCode function: 5_2_00439CE05_2_00439CE0
        Source: C:\Windows\explorer.exeCode function: 5_2_0047CC805_2_0047CC80
        Source: C:\Windows\explorer.exeCode function: 5_2_0041ADC05_2_0041ADC0
        Source: C:\Windows\explorer.exeCode function: 5_2_00421DE05_2_00421DE0
        Source: C:\Windows\explorer.exeCode function: 5_2_0042EEA05_2_0042EEA0
        Source: C:\Windows\explorer.exeCode function: 5_2_00440FC05_2_00440FC0
        Source: C:\Windows\explorer.exeCode function: String function: 00438F40 appears 516 times
        Source: C:\Windows\explorer.exeCode function: String function: 0043AA40 appears 77 times
        Source: C:\Windows\explorer.exeCode function: String function: 00439020 appears 33 times
        Source: C:\Windows\explorer.exeCode function: String function: 0043B260 appears 632 times
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5988 -s 1176
        Source: file.exeStatic PE information: No import functions for PE file found
        Source: file.exe, 00000000.00000000.2010714139.0000029901E86000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFuckingShit.exe8 vs file.exe
        Source: file.exeBinary or memory string: OriginalFilenameFuckingShit.exe8 vs file.exe
        Source: file.exe, -------.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.spre.expl.evad.mine.winEXE@15/13@0/1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnkJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_03
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5988
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3phr1dxb.ozf.ps1Jump to behavior
        Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\b7075557a65310bd2b482103eb94272981f1519f358f4e0931d9562ce0779429AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe
        Source: unknownProcess created: C:\Windows\explorer.exe
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exeJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exeJump to behavior
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: file.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: file.exeReversingLabs: Detection: 26%
        Source: explorer.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
        Source: explorer.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
        Source: explorer.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
        Source: explorer.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
        Source: explorer.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
        Source: explorer.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
        Source: explorer.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
        Source: explorer.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
        Source: explorer.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
        Source: explorer.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
        Source: explorer.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
        Source: explorer.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
        Source: explorer.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
        Source: explorer.exeString found in binary or memory: :cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogsc
        Source: explorer.exeString found in binary or memory: :cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogsc
        Source: explorer.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
        Source: explorer.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
        Source: explorer.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
        Source: explorer.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
        Source: explorer.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
        Source: explorer.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
        Source: explorer.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
        Source: explorer.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
        Source: explorer.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
        Source: explorer.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
        Source: explorer.exeString found in binary or memory: ry/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: Virt
        Source: explorer.exeString found in binary or memory: ry/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: Virt
        Source: explorer.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
        Source: explorer.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
        Source: explorer.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
        Source: explorer.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
        Source: explorer.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
        Source: explorer.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5988 -s 1176
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        Source: unknownProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: Nexus.lnk.7.drLNK file: ..\..\..\..\..\..\..\..\..\Windows\explorer.exe
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: file.exeStatic file information: File size 4017807 > 1048576
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: mscorlib.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdbq1 source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.pdb0 source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Management.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Management.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Core.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdbRSDS source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdb source: WERB5DA.tmp.dmp.11.dr
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F307DD pushad ; retn 48E2h0_2_00007FF848F307F1
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F360B9 pushad ; retf 0008h0_2_00007FF848F360BA
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF848F300BD pushad ; iretd 0_2_00007FF848F300C1
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF849000001 push esp; retf 4810h0_2_00007FF849000312
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_00007FF848F300BD pushad ; iretd 7_2_00007FF848F300C1

        Boot Survival

        barindex
        Powershell creates an autostart link
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell engine required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can be used in galleries to represen
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnkJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnkJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 5988, type: MEMORYSTR
        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
        Source: C:\Users\user\Desktop\file.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
        Source: C:\Users\user\Desktop\file.exeMemory allocated: 29903970000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2991BB00000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
        Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
        Source: C:\Users\user\Desktop\file.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
        Source: C:\Users\user\Desktop\file.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
        Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
        Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
        Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
        Source: C:\Windows\explorer.exeCode function: 5_2_0046A800 rdtscp5_2_0046A800
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7056Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2359Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2167Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376Thread sleep count: 7056 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3376Thread sleep count: 2359 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5504Thread sleep time: -7378697629483816s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1436Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6164Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\explorer.exeCode function: 5_2_00434940 GetProcessAffinityMask,GetSystemInfo,5_2_00434940
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: Amcache.hve.11.drBinary or memory string: VMware
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: powershell.exe, 00000007.00000002.2099650625.000001DF7741B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
        Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: powershell.exe, 00000007.00000002.2099062910.000001DF771FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
        Source: Amcache.hve.11.drBinary or memory string: vmci.sys
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: Amcache.hve.11.drBinary or memory string: VMware20,1
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
        Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools {
        Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
        Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
        Source: explorer.exe, 00000005.00000002.3264436749.0000000001048000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlljj
        Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: powershell.exe, 00000007.00000002.2099650625.000001DF7741B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
        Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
        Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
        Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
        Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
        Source: file.exe, 00000000.00000002.2250224774.0000029903B8C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
        Source: Amcache.hve.11.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
        Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
        Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: file.exe, 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Potentially malicious time measurement code found
        Source: C:\Windows\explorer.exeCode function: 5_2_0046A800 Start: 0046A809 End: 0046A81F5_2_0046A800
        Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\explorer.exeCode function: 5_2_0046A800 rdtscp5_2_0046A800
        Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\explorer.exeCode function: 5_2_0044E060 RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler,RtlAddVectoredContinueHandler,5_2_0044E060
        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeNetwork Connect: 185.196.10.218 9889Jump to behavior
        Adds a directory exclusion to Windows Defender
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 400000 value starts with: 4D5AJump to behavior
        Injects code into the Windows Explorer (explorer.exe)
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 400000 value: 4DJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 401000 value: FFJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 4EE000 value: 00Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 600000 value: FFJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 699000 value: 80Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 6A0000 value: 01Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 6A1000 value: 5AJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 6A2000 value: 5AJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 6D3000 value: 5AJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 6DE000 value: 01Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 6DF000 value: 5AJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 739000 value: 5AJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 76E000 value: 5AJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 780000 value: D4Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 781000 value: 00Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: 786000 value: 00Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: PID: 5600 base: CFD010 value: 00Jump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\file.exeThread register set: target process: 5600Jump to behavior
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 401000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 4EE000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 600000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 699000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 6A0000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 6A1000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 6A2000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 6D3000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 6DE000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 6DF000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 739000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 76E000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 780000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 781000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: 786000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\explorer.exe base: CFD010Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Disables UAC (registry)
        Source: C:\Users\user\Desktop\file.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
        Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Windows Management Instrumentation        		12
        Registry Run Keys / Startup Folder        		511
        Process Injection        		1
        Masquerading        		OS Credential Dumping241
        Security Software Discovery        		Remote Services11
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		12
        Registry Run Keys / Startup Folder        		21
        Disable or Modify Tools        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts1
        PowerShell        		Logon Script (Windows)1
        DLL Side-Loading        		151
        Virtualization/Sandbox Evasion        		Security Account Manager151
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook511
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Deobfuscate/Decode Files or Information        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
        Obfuscated Files or Information        		Cached Domain Credentials13
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546398 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 39 Multi AV Scanner detection for submitted file 2->39 41 Sigma detected: Powershell create lnk in startup 2->41 43 Yara detected UAC Bypass using CMSTP 2->43 45 5 other signatures 2->45 8 file.exe 1 4 2->8         started        11 explorer.exe 5 4 2->11         started        process3 signatures4 47 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->47 49 Injects code into the Windows Explorer (explorer.exe) 8->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->51 53 5 other signatures 8->53 13 explorer.exe 8->13         started        17 powershell.exe 23 8->17         started        19 WerFault.exe 19 16 8->19         started        22 2 other processes 8->22 process5 dnsIp6 37 185.196.10.218, 49709, 49716, 49752 SIMPLECARRIERCH Switzerland 13->37 55 System process connects to network (likely due to code injection or exploit) 13->55 57 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 13->57 59 Potentially malicious time measurement code found 13->59 24 powershell.exe 17 13->24         started        61 Powershell creates an autostart link 17->61 63 Loading BitLocker PowerShell Module 17->63 27 WmiPrvSE.exe 17->27         started        29 conhost.exe 17->29         started        33 C:\ProgramData\Microsoft\...\Report.wer, Unicode 19->33 dropped file7 signatures8 process9 file10 35 C:\Users\user\AppData\Roaming\...35exus.lnk, MS 24->35 dropped 31 conhost.exe 24->31         started        process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe26%ReversingLabsWin64.Trojan.Generic
        file.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://oneget.orgX0%URL Reputationsafe
        http://upx.sf.net0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://oneget.org0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.2093632871.000001DF101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF018E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmptrue
          		unknown
          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.2069386715.000001DF00231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmptrue
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.2069386715.000001DF00231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmptrue
            		unknown
            https://go.micropowershell.exe, 00000007.00000002.2069386715.000001DF00C31000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: safe
            		unknown
            https://contoso.com/powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.2093632871.000001DF101B4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF018E2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Licensepowershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://contoso.com/Iconpowershell.exe, 00000007.00000002.2093632871.000001DF1007D000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://oneget.orgXpowershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://upx.sf.netAmcache.hve.11.drfalse
            • URL Reputation: safe
            		unknown
            https://aka.ms/pscore68powershell.exe, 00000007.00000002.2069386715.000001DF00001000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.2069386715.000001DF00001000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.2069386715.000001DF00231000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmptrue
              		unknown
              https://oneget.orgpowershell.exe, 00000007.00000002.2069386715.000001DF016B1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.196.10.218
              		unknownSwitzerland
              		42624SIMPLECARRIERCHtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1546398
              Start date and time:2024-10-31 20:56:05 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 22s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:19
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:file.exe
              Detection:MAL
              Classification:mal100.spre.expl.evad.mine.winEXE@15/13@0/1
              EGA Information:
              • Successful, ratio: 66.7%
              HCA Information:
              • Successful, ratio: 83%
              • Number of executed functions: 19
              • Number of non-executed functions: 7
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.182.143.212
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target powershell.exe, PID 368 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtSetInformationFile calls found.
              • VT rate limit hit for: file.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              15:56:56API Interceptor29x Sleep call for process: powershell.exe modified
              15:57:15API Interceptor1x Sleep call for process: WerFault.exe modified
              20:57:01AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              SIMPLECARRIERCHsipari_.exeGet hashmaliciousAgentTeslaBrowse
              • 185.196.9.150
              UGcjMkPWwW.exeGet hashmaliciousRHADAMANTHYSBrowse
              • 185.196.11.237
              x86_64.bin.elfGet hashmaliciousUnknownBrowse
              • 185.196.10.215
              fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
              • 185.196.9.150
              PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
              • 185.196.9.150
              IND24072113.xlsxGet hashmaliciousUnknownBrowse
              • 185.196.10.234
              SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
              • 185.196.9.150
              request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
              • 185.196.10.234
              IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
              • 185.196.10.234
              RepozetorySetup.exeGet hashmaliciousRedLineBrowse
              • 185.196.9.26

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_1f403d983e4a5248d567d72b56e8042e651081_edd3b515_9dc1ee04-6c80-4698-8c9e-e110a755b055\Report.wer

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):65536
              Entropy (8bit):1.2159409146921198
              Encrypted:false
              SSDEEP:192:J6pB6yN8qn5v2P10UnUQExaWBHp8DZVWdzuiFdZ24lO8iyUBD:A/6G8s2OUnUFamHCXCzuiFdY4lO8iTD
              MD5:E7B8C5AF2E32E870B27A1C338AB3D92C
              SHA1:D27AD389B979DC863FE816A766B357FBADD58516
              SHA-256:920585535865A0AA64856300EE493831A83F23649331B7539D1806C231F6A5DB
              SHA-512:7669FF691FA45D9E2D259462CDE21434103E823A573DE3CFAAB700ECF35E5893DE77B554598068253702A3138715B1BE663F238D48A452053FCC746D211C2C26
              Malicious:true
              Reputation:low
              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.7.8.2.1.6.0.7.8.5.7.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.7.8.2.1.7.6.2.5.4.5.1.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.c.1.e.e.0.4.-.6.c.8.0.-.4.6.9.8.-.8.c.9.e.-.e.1.1.0.a.7.5.5.b.0.5.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.4.2.e.e.9.c.a.-.e.8.e.5.-.4.c.6.f.-.8.6.b.3.-.a.3.7.0.1.9.4.4.c.4.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.u.c.k.i.n.g.S.h.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.6.4.-.0.0.0.1.-.0.0.1.4.-.9.a.5.3.-.7.5.0.7.c.f.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.3.7.a.6.c.6.3.8.f.5.6.b.c.f.2.3.e.8.5.7.0.f.c.8.f.1.1.f.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.f.a.0.b.b.9.f.1.2.3.f.6.e.8.c.d.a.8.e.f.3.9.8.d.3.3.c.1.c.7.1.a.0.1.9.6.1.e.!.f.i.l.e...e.x.e.....T.a.r.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB5DA.tmp.dmp

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:Mini DuMP crash report, 16 streams, Thu Oct 31 19:56:56 2024, 0x1205a4 type
              Category:dropped
              Size (bytes):481087
              Entropy (8bit):3.300228282967546
              Encrypted:false
              SSDEEP:6144:ig1dSg5AO8/AlQySJX5i+ARFBd6F3hld4aM/q7/j3Q:ig1F31RWMaEq7bQ
              MD5:AF56393EC45D749EF1D076F059C3FA71
              SHA1:1B7011E4D35B99A399274ECA1CD4F00B8A5538E0
              SHA-256:F31DD32D1380CBEE544D43946B7B17D655A1641FDA269D42A7EBDB949CC33447
              SHA-512:5FD47F20688B9D3F04FF6AF654E4AB53E8EC4229BBE8D85F4AB9EEE1628EC4E7845FE3750C325658B5743432BE030243BEB518AB4572F7949C020B470754A219
              Malicious:false
              Preview:MDMP..a..... .........#g............t...........<...........$....(.......!...(......dR.............l.......8...........T...........`<..............tJ..........`L..............................................................................eJ.......L......Lw......................T.......d.....#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB86B.tmp.WERInternalMetadata.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):8576
              Entropy (8bit):3.7054540935931337
              Encrypted:false
              SSDEEP:192:R6l7wVeJpmCSbN26YEIi0ZogmfBK4Qprt89blg0fFQXm:R6lXJpgA6YEd0Zogmf44PljfFt
              MD5:293650D6837F27C21BEC9F8B1F772555
              SHA1:3969FA851A78D27A2F13B09A7DB6885EFAA7FB0E
              SHA-256:FA01508180A78ABD7F448650035940BABFA787B2DB2D74C5A72515A563399C8F
              SHA-512:AF8557A41C850DCBDB3D9AFDEDF303FD0C730FC23A00E6D484F31083F82192C6BDEE7E0D17605102E5DB8714BFF38892B3CFD8C8525895956366A689B87C0AD1
              Malicious:false
              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.8.<./.P.i.

              C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8AA.tmp.xml

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):4729
              Entropy (8bit):4.49101116160992
              Encrypted:false
              SSDEEP:48:cvIwWl8zsLJg771I969WpW8VY1Ym8M4J4+F8/Wyq85ZGJhKd:uIjflI7ZM7VdJyexJhKd
              MD5:BDD8944DDBE858A56B303FAFCE94F80E
              SHA1:F992FE61B5FB2061A19485F45E067A0E3FC71C84
              SHA-256:DE21D3A9BAA21A8C0A4F6C8F0DC19232207F6F3DEF20CE77BE1722A3796BCAB1
              SHA-512:DF875FFCAB890DE4F66675AD2F096EEC9D67DD1DB44E69DCFBD1893AE122D58CB528B3688A6E9BE6D792082AA4BBB476FA241274F426E0DCCDF75C406449DBFE
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="568019" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):64
              Entropy (8bit):1.1940658735648508
              Encrypted:false
              SSDEEP:3:Nlllulbnolz:NllUc
              MD5:F23953D4A58E404FCB67ADD0C45EB27A
              SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
              SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
              SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
              Malicious:false
              Preview:@...e................................................@..........

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1njmi1ls.ism.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3phr1dxb.ozf.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aqyoqvhr.nq3.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bx5nuovw.a3f.ps1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dut21tn0.lmf.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dyylvxkb.ixm.psm1

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

              Download File
              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 8 02:05:19 2022, mtime=Thu Oct 31 18:56:55 2024, atime=Thu Sep 8 02:05:19 2022, length=5141208, window=hide
              Category:dropped
              Size (bytes):833
              Entropy (8bit):4.664519124807269
              Encrypted:false
              SSDEEP:12:8IVqm/nMIX6UVjyPI2ZjALK8W+IMcgL6CNbR/z5IA4t2YZ/elFlSJmkmV:8a/uUsjdAk+IMct2bRL5IYqygm
              MD5:049B3C8FFFBF68AB407EC6065A2E9EEC
              SHA1:D053D2EAA615B7690D5B89286823060E8315174B
              SHA-256:799DC686203B7D49CCA1290E56D16313BF6629E6A40F17300A94C34470055AD5
              SHA-512:D498A20C1BE0499B185FB3EA231EC6491B587178CCAD76D2B38A99DD3A29143237FEF781A5E717A558B5C3049177EC897CF17BD8D0EF209273FB7FD04B29F45F
              Malicious:true
              Preview:L..................F.... .....(./....0Q..+..f.4./....rN..........................P.O. .:i.....+00.../C:\...................V.1.....DW.r..Windows.@......OwH_Y......3......................=..W.i.n.d.o.w.s.....f.2..rN.(U.. .explorer.exe..J......(U.._Y..................|..........h..e.x.p.l.o.r.e.r...e.x.e.......F...............-.......E...........Oi.......C:\Windows\explorer.exe../.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.e.x.p.l.o.r.e.r...e.x.e.........$..................C..B..g..(.#....`.......X.......266904...........hT..CrF.f4... .~2=.b...,...W..hT..CrF.f4... .~2=.b...,...W..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

              C:\Windows\appcompat\Programs\Amcache.hve

              Download File
              Process:C:\Windows\System32\WerFault.exe
              File Type:MS Windows registry file, NT/2000 or above
              Category:dropped
              Size (bytes):1835008
              Entropy (8bit):4.421666803294391
              Encrypted:false
              SSDEEP:6144:7Svfpi6ceLP/9skLmb0OTKWSPHaJG8nAgeMZMMhA2fX4WABlEnN20uhiTw:mvloTKW+EZMM6DFy403w
              MD5:CBC9D614CD07696061ABC5091ADAA90C
              SHA1:1AB031DDAA5860519D3A587D3FDC8604E04E6404
              SHA-256:369A74D0806A26F056A19F24A2A41D69172905454F4EBDCFF5120B4FDCC064BC
              SHA-512:FCE4264FA609183CA3DDF8D12AA957AB965E27678EE04E719D5FE14619758F1833ACB9EDCFA4108BE4533103B47A2948EBF89CC34DFC18E80DEF8B1B2AC483AF
              Malicious:false
              Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.b...+...............................................................................................................................................................................................................................................................................................................................................=........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.852427647416436
              TrID:
              • Win64 Executable Console Net Framework (206006/5) 48.58%
              • Win64 Executable Console (202006/5) 47.64%
              • Win64 Executable (generic) (12005/4) 2.83%
              • Generic Win/DOS Executable (2004/3) 0.47%
              • DOS Executable Generic (2002/1) 0.47%
              File name:file.exe
              File size:4'017'807 bytes
              MD5:f5d31bef57f4d69af9f1b44a6f8f8d5e
              SHA1:2ffa0bb9f123f6e8cda8ef398d33c1c71a01961e
              SHA256:88dbbdcc10e16ae14103f8a0cbcd2d692668fc78efcc36a406880ff1e6b5fac0
              SHA512:c07729ab676d6db44b0176fd64d0ec79936bbdba2f2526f7b2f24e4e407e8100372329195018d661e2d79536cd02b9046acf739cebee0607aacbfa3331d9395a
              SSDEEP:49152:oyXV/ctnAqeOjKiPPDWw9OmzBo4H0yr+334/PYWsRtQ4vEphxd+ykCSMpt4xYhp0:rcO2RPP8mlH0yr+0W/5vEpnYmuxY7HET
              TLSH:B906334070878E2BFD69657AC0C278F683FDAC1771F6569FDF9A0E69988083F8658170
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f#g.........."...0.Z)............... ....@...... ....................................`................................

              File Icon

              Icon Hash:00928e8e8686b000

              Static PE Info

              General

              Entrypoint:0x400000
              Entrypoint Section:
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x672366A9 [Thu Oct 31 11:14:49 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:

              Entrypoint Preview

              Instruction
              dec ebp
              pop edx
              nop
              add byte ptr [ebx], al
              add byte ptr [eax], al
              add byte ptr [eax+eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5f6.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x48ba0x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x295a0x2a00694cfce85e35dbf9ffddd1af95a98d29False0.623046875data6.274491221294587IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x60000x5f60x600c49dc9dc5c1b1149f6f38bdcafe82caaFalse0.4166666666666667data4.214703724660371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_VERSION0x60a00x36cdata0.3938356164383562
              RT_MANIFEST0x640c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2024-10-31T20:57:11.715249+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549714TCP
              2024-10-31T20:57:49.883637+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.549902TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 31, 2024 20:57:02.390150070 CET497099889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:02.395452023 CET988949709185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:02.395540953 CET497099889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:10.882627010 CET988949709185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:10.882695913 CET497099889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:10.882936001 CET497099889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:10.883141041 CET497169889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:10.888274908 CET988949709185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:10.888303995 CET988949716185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:10.888377905 CET497169889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:19.377552032 CET988949716185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:19.377634048 CET497169889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:19.378067970 CET497169889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:19.378194094 CET497529889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:19.383588076 CET988949716185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:19.384279966 CET988949752185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:19.384354115 CET497529889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:27.892627954 CET988949752185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:27.892698050 CET497529889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:27.892878056 CET497529889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:27.893178940 CET497969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:27.897758961 CET988949752185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:27.897948027 CET988949796185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:27.898055077 CET497969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:36.381302118 CET988949796185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:36.381364107 CET497969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:36.386106014 CET498409889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:36.386135101 CET497969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:36.390959024 CET988949796185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:36.390974998 CET988949840185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:36.391057968 CET498409889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:44.883563042 CET988949840185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:44.883630037 CET498409889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:44.883761883 CET498409889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:44.883981943 CET498819889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:44.890043974 CET988949840185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:44.890181065 CET988949881185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:44.890436888 CET498819889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:53.373811007 CET988949881185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:53.373895884 CET498819889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:53.374140978 CET499309889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:53.374164104 CET498819889192.168.2.5185.196.10.218
              Oct 31, 2024 20:57:53.378984928 CET988949930185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:53.378995895 CET988949881185.196.10.218192.168.2.5
              Oct 31, 2024 20:57:53.379111052 CET499309889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:01.885076046 CET988949930185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:01.885170937 CET499309889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:01.885478020 CET499739889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:01.885499001 CET499309889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:01.890398026 CET988949930185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:01.890410900 CET988949973185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:01.890507936 CET499739889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:10.394118071 CET988949973185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:10.394243002 CET499739889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:10.394551992 CET499739889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:10.394778013 CET499959889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:10.401236057 CET988949973185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:10.401247978 CET988949995185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:10.401345968 CET499959889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:18.894836903 CET988949995185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:18.895114899 CET499959889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:18.895277023 CET499959889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:18.896259069 CET499969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:18.900057077 CET988949995185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:18.901113033 CET988949996185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:18.901251078 CET499969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:27.406367064 CET988949996185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:27.406518936 CET499969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:27.406761885 CET499969889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:27.406873941 CET499979889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:27.411686897 CET988949996185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:27.411767006 CET988949997185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:27.411834002 CET499979889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:35.914551020 CET988949997185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:35.914618969 CET499979889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:35.914972067 CET499989889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:35.914980888 CET499979889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:35.919734001 CET988949997185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:35.919847965 CET988949998185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:35.919920921 CET499989889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:44.403320074 CET988949998185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:44.403422117 CET499989889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:44.403709888 CET499999889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:44.403717041 CET499989889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:44.410970926 CET988949998185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:44.410983086 CET988949999185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:44.411055088 CET499999889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:52.917947054 CET988949999185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:52.918044090 CET499999889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:52.918293953 CET499999889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:52.918426037 CET500009889192.168.2.5185.196.10.218
              Oct 31, 2024 20:58:52.923147917 CET988949999185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:52.924047947 CET988950000185.196.10.218192.168.2.5
              Oct 31, 2024 20:58:52.924113989 CET500009889192.168.2.5185.196.10.218

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:15:56:52
              Start date:31/10/2024
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\file.exe"
              Imagebase:0x29901e80000
              File size:4'017'807 bytes
              MD5 hash:F5D31BEF57F4D69AF9F1B44A6F8F8D5E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2250224774.0000029903B12000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              Reputation:low
              Has exited:true

              General

              Target ID:1
              Start time:15:56:52
              Start date:31/10/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:15:56:55
              Start date:31/10/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
              Imagebase:0x7ff7be880000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:15:56:55
              Start date:31/10/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:15:56:55
              Start date:31/10/2024
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\explorer.exe"
              Imagebase:0x7ff674740000
              File size:5'141'208 bytes
              MD5 hash:662F4F92FDE3557E86D110526BB578D5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:Go lang
              Reputation:high
              Has exited:false

              General

              Target ID:6
              Start time:15:56:55
              Start date:31/10/2024
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):
              Commandline:"C:\Windows\explorer.exe"
              Imagebase:
              File size:5'141'208 bytes
              MD5 hash:662F4F92FDE3557E86D110526BB578D5
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:7
              Start time:15:56:55
              Start date:31/10/2024
              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):false
              Commandline:powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\explorer.exe'; $s.Save()"
              Imagebase:0x7ff7be880000
              File size:452'608 bytes
              MD5 hash:04029E121A0CFA5991749937DD22A1D9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:9
              Start time:15:56:55
              Start date:31/10/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff6d64d0000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:11
              Start time:15:56:55
              Start date:31/10/2024
              Path:C:\Windows\System32\WerFault.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\WerFault.exe -u -p 5988 -s 1176
              Imagebase:0x7ff667730000
              File size:570'736 bytes
              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:13
              Start time:15:56:59
              Start date:31/10/2024
              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Imagebase:0x7ff6ef0c0000
              File size:496'640 bytes
              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
              Has elevated privileges:true
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:16
              Start time:15:57:09
              Start date:31/10/2024
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\explorer.exe"
              Imagebase:0x7ff674740000
              File size:5'141'208 bytes
              MD5 hash:662F4F92FDE3557E86D110526BB578D5
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:13.2%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:6
                Total number of Limit Nodes:0
                execution_graph 13693 7ff848f3381a 13694 7ff848f33829 VirtualProtect 13693->13694 13696 7ff848f3390b 13694->13696 13697 7ff848f30e65 13698 7ff848f30e89 FreeConsole 13697->13698 13700 7ff848f30f1e 13698->13700

                Executed Functions

                Function 00007FF849000001 Relevance: 2.3, Instructions: 2281COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2274429721.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff849000000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0dfa03cae69d1e575dd6286f0bf4b79490f75918a689a5212bbaf339388cd0ce
                • Instruction ID: d2c7bc35e9fd24c9148520daa3e23b22abf0866a54eb29ce71d12b12e71783d5
                • Opcode Fuzzy Hash: 0dfa03cae69d1e575dd6286f0bf4b79490f75918a689a5212bbaf339388cd0ce
                • Instruction Fuzzy Hash: D2E2E87180DAC58FEB66EF2898555A47FF0FF56344F1805FED089CB193EA28A84AC741
                Function 00007FF848F32FF0 Relevance: 2.0, Strings: 1, Instructions: 734COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 494 7ff848f32ff0-7ff848f35561 call 7ff848f35420 501 7ff848f35584-7ff848f35593 494->501 502 7ff848f35563-7ff848f35579 call 7ff848f35420 call 7ff848f35470 501->502 503 7ff848f35595-7ff848f355af call 7ff848f35420 call 7ff848f35470 501->503 512 7ff848f3557b-7ff848f35582 502->512 513 7ff848f355b0-7ff848f35600 502->513 512->501 517 7ff848f3560c-7ff848f35643 513->517 518 7ff848f35602-7ff848f35607 call 7ff848f34bc8 513->518 521 7ff848f35649-7ff848f35654 517->521 522 7ff848f3583f-7ff848f358a9 517->522 518->517 523 7ff848f356c8-7ff848f356cd 521->523 524 7ff848f35656-7ff848f35664 521->524 554 7ff848f358ab-7ff848f358b1 522->554 555 7ff848f358c6-7ff848f358f0 522->555 527 7ff848f356cf-7ff848f356db 523->527 528 7ff848f35740-7ff848f3574a 523->528 524->522 525 7ff848f3566a-7ff848f35679 524->525 531 7ff848f3567b-7ff848f356ab 525->531 532 7ff848f356ad-7ff848f356b8 525->532 527->522 534 7ff848f356e1-7ff848f356f4 527->534 529 7ff848f3576c-7ff848f35774 528->529 530 7ff848f3574c-7ff848f35759 call 7ff848f34be8 528->530 535 7ff848f35777-7ff848f35782 529->535 548 7ff848f3575e-7ff848f3576a 530->548 531->532 540 7ff848f356f9-7ff848f356fc 531->540 532->522 537 7ff848f356be-7ff848f356c6 532->537 534->535 535->522 538 7ff848f35788-7ff848f35798 535->538 537->523 537->524 538->522 542 7ff848f3579e-7ff848f357ab 538->542 544 7ff848f356fe-7ff848f3570e 540->544 545 7ff848f35712-7ff848f3571a 540->545 542->522 547 7ff848f357b1-7ff848f357d1 542->547 544->545 545->522 549 7ff848f35720-7ff848f3573f 545->549 547->522 559 7ff848f357d3-7ff848f357e2 547->559 548->529 556 7ff848f358b3-7ff848f358c4 554->556 557 7ff848f358f1-7ff848f35945 554->557 556->554 556->555 570 7ff848f35959-7ff848f35991 557->570 571 7ff848f35947-7ff848f35957 557->571 560 7ff848f3582d-7ff848f3583e 559->560 561 7ff848f357e4-7ff848f357ef 559->561 561->560 567 7ff848f357f1-7ff848f35828 call 7ff848f34be8 561->567 567->560 576 7ff848f359e8-7ff848f359ef 570->576 577 7ff848f35993-7ff848f35999 570->577 571->570 571->571 579 7ff848f35a32-7ff848f35a5b 576->579 580 7ff848f359f1-7ff848f359f2 576->580 577->576 578 7ff848f3599b-7ff848f3599c 577->578 581 7ff848f3599f-7ff848f359a2 578->581 582 7ff848f359f5-7ff848f359f8 580->582 584 7ff848f359a8-7ff848f359b5 581->584 585 7ff848f35a5c-7ff848f35a71 581->585 582->585 586 7ff848f359fa-7ff848f35a0b 582->586 587 7ff848f359e1-7ff848f359e6 584->587 588 7ff848f359b7-7ff848f359de 584->588 595 7ff848f35a7b-7ff848f35b01 585->595 596 7ff848f35a73-7ff848f35a7a 585->596 589 7ff848f35a29-7ff848f35a30 586->589 590 7ff848f35a0d-7ff848f35a13 586->590 587->576 587->581 588->587 589->579 589->582 590->585 594 7ff848f35a15-7ff848f35a25 590->594 594->589 596->595
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID: d
                • API String ID: 0-2564639436
                • Opcode ID: 2b52bc9d8be23a9df66dacb22c6341719148e0e3689c8757269bf69b70c3263e
                • Instruction ID: 161bce0cdebabc7d2bd530bf46eb0820a375ecd9fdd40c26a9cd28eee07a2f82
                • Opcode Fuzzy Hash: 2b52bc9d8be23a9df66dacb22c6341719148e0e3689c8757269bf69b70c3263e
                • Instruction Fuzzy Hash: 67224331A1DA4A4FE348EB2894815B177E0FF89354F1442BAC49AC71D7EE28F843C784
                Function 00007FF848F350F1 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID: eH
                • API String ID: 0-1998315119
                • Opcode ID: dd24c8cc000a413f016ffd180367a42c70dadde73da35f495660b51e6640b49f
                • Instruction ID: 41be6da4c909e7b57cf9c8c358e2249b442df2210f2b0b5996bc5ab12eca85fa
                • Opcode Fuzzy Hash: dd24c8cc000a413f016ffd180367a42c70dadde73da35f495660b51e6640b49f
                • Instruction Fuzzy Hash: 2A81D631A1CA4A4FD75CFB2898554BAB3E1FF99350F00057EE48BC32D6DE28F9428685
                Function 00007FF848F3F689 Relevance: 1.4, Instructions: 1388COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1133 7ff848f3f689-7ff848f3f6fe 1138 7ff848f3f76f-7ff848f3f785 call 7ff848f3bbe0 1133->1138 1139 7ff848f3f700-7ff848f3f705 1133->1139 1141 7ff848f3f786-7ff848f3f79a 1138->1141 1152 7ff848f3f79f-7ff848f3f7aa 1138->1152 1140 7ff848f3f707-7ff848f3f721 call 7ff848f38280 1139->1140 1139->1141 1145 7ff848f3f838-7ff848f3f83a 1141->1145 1147 7ff848f3f8ab-7ff848f3f8b7 1145->1147 1148 7ff848f3f83c-7ff848f3f841 1145->1148 1153 7ff848f3fa99-7ff848f3faf3 1147->1153 1154 7ff848f3f8bd-7ff848f3f8c1 1147->1154 1150 7ff848f3f843-7ff848f3f85f 1148->1150 1151 7ff848f3f8c2 1148->1151 1157 7ff848f3f8c8-7ff848f3f916 call 7ff848f3bbe0 * 2 call 7ff848f37ee0 1151->1157 1158 7ff848f3f8c4-7ff848f3f8c5 1151->1158 1155 7ff848f3f7ac-7ff848f3f7bf 1152->1155 1156 7ff848f3f7c1-7ff848f3f7cc 1152->1156 1171 7ff848f3faf9-7ff848f3fb54 call 7ff848f3bbe0 * 2 call 7ff848f37ee0 1153->1171 1172 7ff848f3fc26-7ff848f3fc83 1153->1172 1154->1151 1155->1145 1162 7ff848f3f7ce-7ff848f3f7e0 1156->1162 1163 7ff848f3f7e2-7ff848f3f801 1156->1163 1157->1153 1186 7ff848f3f91c-7ff848f3f93a 1157->1186 1158->1157 1162->1145 1163->1145 1174 7ff848f3f803-7ff848f3f834 1163->1174 1171->1172 1201 7ff848f3fb5a-7ff848f3fbb0 1171->1201 1183 7ff848f3fc89-7ff848f3fcde call 7ff848f3bbe0 * 2 call 7ff848f37ee0 1172->1183 1184 7ff848f3fd3e-7ff848f3fd49 1172->1184 1174->1145 1183->1184 1222 7ff848f3fce0-7ff848f3fd04 1183->1222 1196 7ff848f3fd4b-7ff848f3fd4d 1184->1196 1197 7ff848f3fd4e-7ff848f3fd6a 1184->1197 1186->1153 1190 7ff848f3f940-7ff848f3f95a 1186->1190 1194 7ff848f3f95c-7ff848f3f95f 1190->1194 1195 7ff848f3f9b3-7ff848f3f9d8 1190->1195 1202 7ff848f3f961-7ff848f3f980 1194->1202 1203 7ff848f3f9e0-7ff848f3f9ea 1194->1203 1198 7ff848f3f9da-7ff848f3f9df 1195->1198 1199 7ff848f3f9f1-7ff848f3fa06 1195->1199 1196->1197 1211 7ff848f3fd6c-7ff848f3fd97 1197->1211 1212 7ff848f3fdb4-7ff848f3fdf6 call 7ff848f3bbe0 * 2 call 7ff848f37ee0 1197->1212 1198->1203 1208 7ff848f3fa08-7ff848f3fa19 1199->1208 1201->1172 1209 7ff848f3fbb2-7ff848f3fbfd call 7ff848f3c5b0 1201->1209 1202->1199 1210 7ff848f3f982-7ff848f3f987 1202->1210 1205 7ff848f3fa1e-7ff848f3fa6f call 7ff848f3c5b0 1203->1205 1206 7ff848f3f9ec-7ff848f3f9ef 1203->1206 1205->1153 1229 7ff848f3fa71-7ff848f3fa98 1205->1229 1206->1205 1208->1205 1217 7ff848f3fa1b-7ff848f3fa1c 1208->1217 1209->1172 1230 7ff848f3fbff-7ff848f3fc25 1209->1230 1210->1208 1220 7ff848f3f989-7ff848f3f9b2 call 7ff848f38280 1210->1220 1213 7ff848f3ff2b-7ff848f3ff5a 1211->1213 1214 7ff848f3fd9d-7ff848f3fdb3 1211->1214 1212->1213 1244 7ff848f3fdfc-7ff848f3fe1a 1212->1244 1236 7ff848f3ff5c-7ff848f3ff87 1213->1236 1237 7ff848f3ffa4-7ff848f3ffe3 call 7ff848f3bbe0 * 2 call 7ff848f37ee0 1213->1237 1214->1212 1217->1205 1220->1195 1227 7ff848f3fd32-7ff848f3fd3d 1222->1227 1228 7ff848f3fd06-7ff848f3fd16 1222->1228 1228->1184 1234 7ff848f3fd18-7ff848f3fd2f 1228->1234 1234->1227 1239 7ff848f3ff8d-7ff848f3ffa3 1236->1239 1240 7ff848f400e7-7ff848f40119 1236->1240 1237->1240 1267 7ff848f3ffe9-7ff848f40004 1237->1267 1239->1237 1262 7ff848f4011b-7ff848f40146 1240->1262 1263 7ff848f40163-7ff848f4017b call 7ff848f3bbe0 1240->1263 1244->1213 1246 7ff848f3fe20-7ff848f3fe3a 1244->1246 1249 7ff848f3fe3c-7ff848f3fe3f 1246->1249 1250 7ff848f3fe93-7ff848f3fe97 1246->1250 1255 7ff848f3fe41-7ff848f3fe5a 1249->1255 1256 7ff848f3fec0-7ff848f3feff call 7ff848f3c5b0 1249->1256 1252 7ff848f3fe99-7ff848f3febf call 7ff848f38280 1250->1252 1253 7ff848f3ff18-7ff848f3ff2a 1250->1253 1252->1256 1260 7ff848f3fe5c-7ff848f3fe71 1255->1260 1261 7ff848f3fe73-7ff848f3fe84 1255->1261 1276 7ff848f3ff01 1256->1276 1268 7ff848f3fe88-7ff848f3fe90 1260->1268 1261->1268 1269 7ff848f4014c-7ff848f4015f 1262->1269 1270 7ff848f40215-7ff848f40227 1262->1270 1263->1270 1273 7ff848f4005d-7ff848f40064 1267->1273 1274 7ff848f40006-7ff848f40009 1267->1274 1275 7ff848f3fe92 1268->1275 1268->1276 1269->1263 1285 7ff848f40269-7ff848f40277 1270->1285 1286 7ff848f40229-7ff848f4024a 1270->1286 1273->1240 1277 7ff848f4006a-7ff848f40087 1273->1277 1282 7ff848f4000b-7ff848f40029 1274->1282 1283 7ff848f4008a-7ff848f40099 1274->1283 1275->1250 1276->1213 1281 7ff848f3ff03-7ff848f3ff16 1276->1281 1277->1283 1281->1253 1284 7ff848f4009a-7ff848f400ae call 7ff848f3c5b0 1282->1284 1287 7ff848f4002b-7ff848f40030 1282->1287 1283->1284 1293 7ff848f400b1-7ff848f400bd 1284->1293 1290 7ff848f4027d-7ff848f40291 1285->1290 1291 7ff848f403d3-7ff848f403e9 1285->1291 1296 7ff848f4024c-7ff848f40266 1286->1296 1297 7ff848f40294-7ff848f402cf call 7ff848f3bbe0 * 2 call 7ff848f3d860 1286->1297 1292 7ff848f40032-7ff848f40056 call 7ff848f38280 1287->1292 1287->1293 1290->1297 1303 7ff848f403eb-7ff848f403ff 1291->1303 1304 7ff848f403ea 1291->1304 1292->1273 1293->1240 1295 7ff848f400bf-7ff848f400e6 1293->1295 1296->1285 1313 7ff848f402e9-7ff848f402f4 1297->1313 1314 7ff848f402d1-7ff848f402e7 1297->1314 1307 7ff848f40401-7ff848f40456 call 7ff848f301b8 1303->1307 1304->1303 1319 7ff848f4046a-7ff848f404e1 1307->1319 1320 7ff848f40458-7ff848f40464 1307->1320 1322 7ff848f40306 1313->1322 1323 7ff848f402f6-7ff848f40304 1313->1323 1314->1313 1345 7ff848f405c8-7ff848f405cf 1319->1345 1346 7ff848f404e7-7ff848f4055f 1319->1346 1325 7ff848f40308-7ff848f4030d 1322->1325 1323->1325 1326 7ff848f4030f-7ff848f4032e call 7ff848f33058 1325->1326 1327 7ff848f40330-7ff848f40346 1325->1327 1335 7ff848f40373-7ff848f40379 1326->1335 1332 7ff848f4035a-7ff848f4036f call 7ff848f3e250 1327->1332 1333 7ff848f40348-7ff848f40359 1327->1333 1332->1335 1333->1332 1335->1304 1337 7ff848f4037b-7ff848f40380 1335->1337 1337->1307 1339 7ff848f40382-7ff848f403b0 call 7ff848f38280 call 7ff848f37ee0 1337->1339 1339->1291 1351 7ff848f403b2-7ff848f403d2 1339->1351 1347 7ff848f405ec-7ff848f405fc 1345->1347 1348 7ff848f405d1-7ff848f405de 1345->1348 1360 7ff848f405bf-7ff848f405c7 call 7ff848f40614 1346->1360 1361 7ff848f40561-7ff848f40567 call 7ff848f39e88 1346->1361 1354 7ff848f40602-7ff848f40613 1347->1354 1348->1347 1353 7ff848f405e0-7ff848f405ea 1348->1353 1353->1347 1360->1345 1364 7ff848f4056c-7ff848f405be 1361->1364 1364->1360
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 55fa23968dbf81f7399b4bfe043ef866b9d1e0281ae8898425f58704430239f6
                • Instruction ID: a6e13ee2ff9c6f9afc41f50b6a824626278751fae61d06332930a820674c2801
                • Opcode Fuzzy Hash: 55fa23968dbf81f7399b4bfe043ef866b9d1e0281ae8898425f58704430239f6
                • Instruction Fuzzy Hash: 35A2033051CB854FD359EB2884914B5BBE2FFD5341F1449BEE88AC72A6DB38E846C781
                Function 00007FF848F34F20 Relevance: 1.1, Instructions: 1061COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2b53e3b4d811b23017dc3451d0955f36a8eeecc8a03c0ce62cdd624c3fa124cb
                • Instruction ID: 00fa402140f3dae5c896b61700336dd25fba13f5e782fee6c2c8cd6a92655a78
                • Opcode Fuzzy Hash: 2b53e3b4d811b23017dc3451d0955f36a8eeecc8a03c0ce62cdd624c3fa124cb
                • Instruction Fuzzy Hash: D672653190CA868FE759AF2884512B5BBE1EF91354F1441BDD88ECB5D3DF28B886C784
                Function 00007FF848F3DABA Relevance: .9, Instructions: 866COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1792 7ff848f3daba-7ff848f3dac9 1793 7ff848f3dacb-7ff848f3dae0 1792->1793 1794 7ff848f3dae2 1792->1794 1795 7ff848f3dae4-7ff848f3dae9 1793->1795 1794->1795 1796 7ff848f3daef-7ff848f3dafe 1795->1796 1797 7ff848f3dbe6-7ff848f3dc06 1795->1797 1802 7ff848f3db08-7ff848f3db09 1796->1802 1803 7ff848f3db00-7ff848f3db06 1796->1803 1801 7ff848f3dc57-7ff848f3dc62 1797->1801 1804 7ff848f3dc08-7ff848f3dc0e 1801->1804 1805 7ff848f3dc64-7ff848f3dc73 1801->1805 1806 7ff848f3db0b-7ff848f3db2e 1802->1806 1803->1806 1807 7ff848f3e0d2-7ff848f3e0ea 1804->1807 1808 7ff848f3dc14-7ff848f3dc35 call 7ff848f39bf0 1804->1808 1814 7ff848f3dc89 1805->1814 1815 7ff848f3dc75-7ff848f3dc87 1805->1815 1813 7ff848f3db83-7ff848f3db8e 1806->1813 1818 7ff848f3e0ec-7ff848f3e0fe 1807->1818 1819 7ff848f3e134-7ff848f3e149 call 7ff848f34f18 1807->1819 1823 7ff848f3dc3a-7ff848f3dc54 1808->1823 1816 7ff848f3db30-7ff848f3db36 1813->1816 1817 7ff848f3db90-7ff848f3dba7 1813->1817 1821 7ff848f3dc8b-7ff848f3dc90 1814->1821 1815->1821 1816->1807 1824 7ff848f3db3c-7ff848f3db80 call 7ff848f39bf0 1816->1824 1831 7ff848f3dba9-7ff848f3dbcf call 7ff848f39bf0 1817->1831 1832 7ff848f3dbd6-7ff848f3dbe1 call 7ff848f3a098 1817->1832 1822 7ff848f3e100-7ff848f3e127 call 7ff848f39548 1818->1822 1845 7ff848f3e14e-7ff848f3e161 1819->1845 1825 7ff848f3dd1c-7ff848f3dd30 1821->1825 1826 7ff848f3dc96-7ff848f3dcb8 call 7ff848f39bf0 1821->1826 1873 7ff848f3e171-7ff848f3e17b 1822->1873 1877 7ff848f3e129-7ff848f3e132 1822->1877 1823->1801 1824->1813 1829 7ff848f3dd32-7ff848f3dd38 1825->1829 1830 7ff848f3dd80-7ff848f3dd8f 1825->1830 1857 7ff848f3dcba-7ff848f3dce4 1826->1857 1858 7ff848f3dce6-7ff848f3dce7 1826->1858 1837 7ff848f3dd3a-7ff848f3dd55 1829->1837 1838 7ff848f3dd57-7ff848f3dd6f 1829->1838 1851 7ff848f3dd9c 1830->1851 1852 7ff848f3dd91-7ff848f3dd9a 1830->1852 1831->1832 1832->1825 1837->1838 1848 7ff848f3dd78-7ff848f3dd7b 1838->1848 1863 7ff848f3e16c-7ff848f3e16f 1845->1863 1864 7ff848f3e163-7ff848f3e16b 1845->1864 1859 7ff848f3df28-7ff848f3df3d 1848->1859 1861 7ff848f3dd9e-7ff848f3dda3 1851->1861 1852->1861 1866 7ff848f3dce9-7ff848f3dcf0 1857->1866 1858->1866 1871 7ff848f3df3f-7ff848f3df7b 1859->1871 1872 7ff848f3df7d 1859->1872 1868 7ff848f3dda9-7ff848f3ddac 1861->1868 1869 7ff848f3e0af-7ff848f3e0b0 1861->1869 1863->1873 1864->1863 1866->1825 1876 7ff848f3dcf2-7ff848f3dd17 call 7ff848f39c18 1866->1876 1878 7ff848f3ddae-7ff848f3ddcb call 7ff848f301b8 1868->1878 1879 7ff848f3ddf4 1868->1879 1875 7ff848f3e0b3-7ff848f3e0ba 1869->1875 1885 7ff848f3df7f-7ff848f3df84 1871->1885 1872->1885 1881 7ff848f3e17d-7ff848f3e185 1873->1881 1882 7ff848f3e186-7ff848f3e197 1873->1882 1875->1822 1911 7ff848f3e0bc-7ff848f3e0c2 1875->1911 1903 7ff848f3e09e-7ff848f3e0ae 1876->1903 1877->1819 1878->1879 1913 7ff848f3ddcd-7ff848f3ddf2 1878->1913 1883 7ff848f3ddf6-7ff848f3ddfb 1879->1883 1881->1882 1891 7ff848f3e199-7ff848f3e1a1 1882->1891 1892 7ff848f3e1a2-7ff848f3e1ef call 7ff848f3bbe0 1882->1892 1889 7ff848f3defc-7ff848f3df1f 1883->1889 1890 7ff848f3de01-7ff848f3de0d 1883->1890 1893 7ff848f3df86-7ff848f3dfdd call 7ff848f34e50 1885->1893 1894 7ff848f3dff4-7ff848f3e003 1885->1894 1912 7ff848f3df25-7ff848f3df26 1889->1912 1890->1807 1899 7ff848f3de13-7ff848f3de22 1890->1899 1891->1892 1932 7ff848f3e201 1892->1932 1933 7ff848f3e1f1-7ff848f3e1ff 1892->1933 1945 7ff848f3dfdf-7ff848f3dfe3 1893->1945 1946 7ff848f3e04e-7ff848f3e053 1893->1946 1897 7ff848f3e004-7ff848f3e008 1894->1897 1905 7ff848f3e00a-7ff848f3e035 call 7ff848f34e50 1897->1905 1906 7ff848f3e057-7ff848f3e063 call 7ff848f37ee0 1897->1906 1908 7ff848f3de35-7ff848f3de42 call 7ff848f301b8 1899->1908 1909 7ff848f3de24-7ff848f3de33 1899->1909 1931 7ff848f3e03a-7ff848f3e042 1905->1931 1919 7ff848f3e064 1906->1919 1926 7ff848f3de48-7ff848f3de4e 1908->1926 1909->1926 1915 7ff848f3e0c3-7ff848f3e0cb 1911->1915 1912->1859 1913->1883 1915->1807 1919->1897 1923 7ff848f3e068-7ff848f3e07c 1919->1923 1923->1807 1930 7ff848f3e07e-7ff848f3e08e 1923->1930 1934 7ff848f3de83-7ff848f3de88 1926->1934 1935 7ff848f3de50-7ff848f3de7d 1926->1935 1939 7ff848f3e090-7ff848f3e09b 1930->1939 1931->1875 1942 7ff848f3e044-7ff848f3e047 1931->1942 1941 7ff848f3e203-7ff848f3e208 1932->1941 1933->1941 1934->1807 1940 7ff848f3de8e-7ff848f3deae 1934->1940 1935->1934 1939->1903 1952 7ff848f3dec2-7ff848f3def2 call 7ff848f39e80 1940->1952 1953 7ff848f3deb0-7ff848f3debf 1940->1953 1943 7ff848f3e20a-7ff848f3e21d call 7ff848f33058 1941->1943 1944 7ff848f3e21f-7ff848f3e225 1941->1944 1942->1915 1948 7ff848f3e049 1942->1948 1954 7ff848f3e22c-7ff848f3e233 1943->1954 1944->1954 1955 7ff848f3e227 call 7ff848f34e68 1944->1955 1945->1919 1951 7ff848f3dfe5-7ff848f3dfee 1945->1951 1946->1906 1948->1939 1956 7ff848f3e04b 1948->1956 1951->1894 1961 7ff848f3def7-7ff848f3defa 1952->1961 1953->1952 1955->1954 1956->1946 1961->1859
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: edb59ed56e940ba7a75b0ed99933ef4c1a06b867450b5b3d31f5caba5b7703ee
                • Instruction ID: bbb0348add631ec9889c812c0ac9849304010143792864423545fd8a5a7b185e
                • Opcode Fuzzy Hash: edb59ed56e940ba7a75b0ed99933ef4c1a06b867450b5b3d31f5caba5b7703ee
                • Instruction Fuzzy Hash: 7042B330A1DA098FDBA8FB289495A7977E1FF55341F1401BEE44EC72D2DF28AC428B45
                Function 00007FF848F3BEB4 Relevance: .7, Instructions: 738COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1962 7ff848f3beb4-7ff848f3beee call 7ff848f39938 1966 7ff848f3bf5f 1962->1966 1967 7ff848f3bef0-7ff848f3bef5 1962->1967 1968 7ff848f3bf61-7ff848f3bf62 1966->1968 1969 7ff848f3bf65-7ff848f3bf73 1966->1969 1970 7ff848f3bef7-7ff848f3bf58 call 7ff848f38280 1967->1970 1971 7ff848f3bf76-7ff848f3bf7e 1967->1971 1968->1969 1969->1971 1975 7ff848f3bf5a-7ff848f3bf5e 1970->1975 1976 7ff848f3bf7f-7ff848f3bfdc 1970->1976 1975->1966 1980 7ff848f3bfde-7ff848f3c009 1976->1980 1981 7ff848f3c026-7ff848f3c04f call 7ff848f3bbe0 call 7ff848f37ee0 1976->1981 1983 7ff848f3c00f-7ff848f3c022 1980->1983 1984 7ff848f3c14c-7ff848f3c159 1980->1984 1981->1984 1993 7ff848f3c055-7ff848f3c07f call 7ff848f38640 1981->1993 1983->1981 1988 7ff848f3c15b 1984->1988 1989 7ff848f3c161 1984->1989 1988->1989 1991 7ff848f3c163 1989->1991 1992 7ff848f3c165-7ff848f3c17a 1989->1992 1991->1992 1994 7ff848f3c1a5 1991->1994 1998 7ff848f3c17c-7ff848f3c1a3 1992->1998 1999 7ff848f3c1c4-7ff848f3c1d9 call 7ff848f37ee0 1992->1999 2002 7ff848f3c08d-7ff848f3c0aa 1993->2002 2003 7ff848f3c081-7ff848f3c08b 1993->2003 2000 7ff848f3c1ab-7ff848f3c1c2 1994->2000 2001 7ff848f3c2a3-7ff848f3c2b3 1994->2001 1998->1994 1999->2001 2011 7ff848f3c1df-7ff848f3c245 call 7ff848f38640 * 4 1999->2011 2000->1999 2009 7ff848f3c2b5-7ff848f3c2dc 2001->2009 2010 7ff848f3c0ae-7ff848f3c0b3 2002->2010 2003->2002 2006 7ff848f3c0ac 2003->2006 2006->2010 2022 7ff848f3c2de-7ff848f3c2e1 2009->2022 2023 7ff848f3c326-7ff848f3c363 call 7ff848f3bbe0 * 2 call 7ff848f37ee0 2009->2023 2013 7ff848f3c11a-7ff848f3c122 2010->2013 2014 7ff848f3c0b5-7ff848f3c0bc 2010->2014 2054 7ff848f3c24b-7ff848f3c24c 2011->2054 2055 7ff848f3c247-7ff848f3c249 2011->2055 2013->1984 2017 7ff848f3c124-7ff848f3c136 2013->2017 2018 7ff848f3c0be-7ff848f3c0c1 2014->2018 2019 7ff848f3c115 2014->2019 2029 7ff848f3c13c-7ff848f3c141 2017->2029 2025 7ff848f3c0c3-7ff848f3c0c6 2018->2025 2026 7ff848f3c142-7ff848f3c14b 2018->2026 2019->1991 2024 7ff848f3c117-7ff848f3c118 2019->2024 2028 7ff848f3c2e2 2022->2028 2052 7ff848f3c533-7ff848f3c595 call 7ff848f3bfb0 2023->2052 2057 7ff848f3c369-7ff848f3c384 2023->2057 2024->2029 2031 7ff848f3c0c8-7ff848f3c0ce 2025->2031 2032 7ff848f3c0d0-7ff848f3c0d3 2025->2032 2037 7ff848f3c308-7ff848f3c309 2028->2037 2038 7ff848f3c2e4-7ff848f3c2e5 2028->2038 2029->2026 2031->2032 2034 7ff848f3c0ec-7ff848f3c0fe 2032->2034 2035 7ff848f3c0d5-7ff848f3c0ea 2032->2035 2034->1984 2042 7ff848f3c100-7ff848f3c112 2034->2042 2035->2034 2051 7ff848f3c30f-7ff848f3c325 2037->2051 2037->2052 2043 7ff848f3c2ea-7ff848f3c2fc 2038->2043 2042->2019 2046 7ff848f3c301-7ff848f3c307 2043->2046 2046->2037 2051->2023 2058 7ff848f3c255-7ff848f3c25c 2054->2058 2055->2058 2060 7ff848f3c3dd-7ff848f3c3e6 2057->2060 2061 7ff848f3c386-7ff848f3c389 2057->2061 2058->2009 2062 7ff848f3c25e-7ff848f3c261 2058->2062 2067 7ff848f3c459-7ff848f3c461 2060->2067 2064 7ff848f3c38b-7ff848f3c39c 2061->2064 2065 7ff848f3c40a-7ff848f3c442 2061->2065 2062->2028 2066 7ff848f3c263-7ff848f3c279 2062->2066 2076 7ff848f3c3eb-7ff848f3c3f9 2064->2076 2077 7ff848f3c39f-7ff848f3c3ab 2064->2077 2065->2067 2066->2043 2073 7ff848f3c27b-7ff848f3c280 2066->2073 2071 7ff848f3c463-7ff848f3c468 2067->2071 2072 7ff848f3c4d2-7ff848f3c4e7 2067->2072 2078 7ff848f3c46a-7ff848f3c4ae call 7ff848f38280 2071->2078 2079 7ff848f3c4e9-7ff848f3c4f2 call 7ff848f34d00 2071->2079 2072->2079 2073->2046 2080 7ff848f3c282-7ff848f3c2a2 call 7ff848f38280 2073->2080 2088 7ff848f3c3fb-7ff848f3c407 2076->2088 2089 7ff848f3c447-7ff848f3c455 2076->2089 2082 7ff848f3c3e8-7ff848f3c3e9 2077->2082 2083 7ff848f3c3ad-7ff848f3c3bb 2077->2083 2078->2052 2097 7ff848f3c4b4-7ff848f3c4d1 2078->2097 2090 7ff848f3c4f7-7ff848f3c507 2079->2090 2082->2076 2083->2060 2094 7ff848f3c409 2088->2094 2095 7ff848f3c444 2088->2095 2089->2067 2090->2052 2096 7ff848f3c509-7ff848f3c532 2090->2096 2094->2065 2095->2089 2097->2072
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: adc7ca55a98c96f941cd155da623a601a49903f895aedac3c98064dad6e4b5a1
                • Instruction ID: a1909f6129135204894d2aaca2a2971f72e58bc50c7a9805c52f169bbb9eab0b
                • Opcode Fuzzy Hash: adc7ca55a98c96f941cd155da623a601a49903f895aedac3c98064dad6e4b5a1
                • Instruction Fuzzy Hash: 56329831A0CA864FE349EB2884511B6B7E1FF95341F1445BFD48AC72E6EF29E852C385
                Function 00007FF848F3C720 Relevance: .4, Instructions: 441COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8ddaf52197dbc6358ca4dbb6117b4c714679d3c10373042166c2bd609658ba5e
                • Instruction ID: 326dc7246c3e08e7cf545bcf67ff5d91c7e8df61404b6370f83ba7cab2187604
                • Opcode Fuzzy Hash: 8ddaf52197dbc6358ca4dbb6117b4c714679d3c10373042166c2bd609658ba5e
                • Instruction Fuzzy Hash: 43D1583190CB864FE319DB288895175B7E2FF95341F1446BFD4CAC72E6EB28A442C785
                Function 00007FF848F456F2 Relevance: .2, Instructions: 197COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8c3b991514bc55572d1cda11cfc98c4e460ab7d20b97a1f32b175ec61798b45
                • Instruction ID: 59f34eaf5c7fbd6f8a7f5163275a1ed82a3630c694c97c6dc3509f03e168aa8b
                • Opcode Fuzzy Hash: f8c3b991514bc55572d1cda11cfc98c4e460ab7d20b97a1f32b175ec61798b45
                • Instruction Fuzzy Hash: AC517D31A0D7490FD70EAB3888651B57BA1EB87220F1582BFD48BC72D3DD186C4687D5
                Function 00007FF848F3381A Relevance: 1.6, APIs: 1, Instructions: 144memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 858 7ff848f3381a-7ff848f33827 859 7ff848f33829-7ff848f33831 858->859 860 7ff848f33832-7ff848f33843 858->860 859->860 861 7ff848f3384e-7ff848f33909 VirtualProtect 860->861 862 7ff848f33845-7ff848f3384d 860->862 867 7ff848f3390b 861->867 868 7ff848f33911-7ff848f33942 861->868 862->861 867->868
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 6bad6e715ba62ef010abe8e6c3c1bf72c2bbe25cacd714a0390e0825029d2446
                • Instruction ID: b499ef8b2c582776fd69910f5420773c1ed668cb99c06cab1ee4d3f337f96eb7
                • Opcode Fuzzy Hash: 6bad6e715ba62ef010abe8e6c3c1bf72c2bbe25cacd714a0390e0825029d2446
                • Instruction Fuzzy Hash: 2A41383180D7884FD719DBA898462E97BE0EF56321F0443AFD089D3193CB786806C796
                Function 00007FF848F30E65 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 946 7ff848f30e65-7ff848f30e87 947 7ff848f30e89 946->947 948 7ff848f30e90-7ff848f30e9a 946->948 947->948 949 7ff848f30e9c-7ff848f30ee2 948->949 950 7ff848f30ee4-7ff848f30f1c FreeConsole 948->950 949->950 953 7ff848f30f1e 950->953 954 7ff848f30f24-7ff848f30f4b 950->954 953->954
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID: ConsoleFree
                • String ID:
                • API String ID: 771614528-0
                • Opcode ID: 93d53fbe0bd86c255e2d38d353ba3b1dcaa6fd76487fd3453a98851a998dc711
                • Instruction ID: e3b3ee0db3e2a821f63484071e3f7ed0110ab7f5b6b980be09563f19d3966e16
                • Opcode Fuzzy Hash: 93d53fbe0bd86c255e2d38d353ba3b1dcaa6fd76487fd3453a98851a998dc711
                • Instruction Fuzzy Hash: C731923090DB888FDB1AEB689845AEA7FF0EF56320F04419FD089C75A3C7686449CB56
                Function 00007FF8490010C9 Relevance: .3, Instructions: 265COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2274429721.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff849000000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c78dc61032ed69ac68b57e19683f7d4f4012b22a8bbbc40678cba8ddeecba083
                • Instruction ID: b523cebb551fd1adbaa6fd12973ceca3573511983dc5941b0cbecaf793e43b89
                • Opcode Fuzzy Hash: c78dc61032ed69ac68b57e19683f7d4f4012b22a8bbbc40678cba8ddeecba083
                • Instruction Fuzzy Hash: 1871F83190DAC94FDB9AEF2898659B57BF1EF56344B0901FBD04AC7193EE18E805C741

                Non-executed Functions

                Function 00007FF848F311F2 Relevance: .1, Instructions: 125COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2273376212.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_7ff848f30000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d248442343a8aa6cac65e9467acc77770187d2833040d3fae9762f7d2f848621
                • Instruction ID: 896be209865938b20292175ac2a3a82fb28692ce37ceaae4a7e8fcb0e1b570ab
                • Opcode Fuzzy Hash: d248442343a8aa6cac65e9467acc77770187d2833040d3fae9762f7d2f848621
                • Instruction Fuzzy Hash: 5C31DB27A1B46AD9D7057BBDB8051EAB720EF86379B0443BBD1C88D0439E0D308687E8

                Execution Graph

                Execution Coverage:1.2%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:3%
                Total number of Nodes:838
                Total number of Limit Nodes:67
                execution_graph 43667 40eb40 43668 40eb46 43667->43668 43668->43667 43671 40eb80 43668->43671 43670 40eb68 43674 40eb8a 43671->43674 43672 40ebc5 43675 40ebd6 43672->43675 43676 40ec9b 43672->43676 43673 438f40 CloseHandle 43673->43674 43674->43671 43674->43672 43674->43673 43679 40ec0a 43675->43679 43698 40c560 CloseHandle 43675->43698 43677 4178a0 CloseHandle 43676->43677 43678 40eca5 43677->43678 43678->43670 43684 40ec96 43679->43684 43693 4178a0 43679->43693 43683 40edb0 43719 438f40 CloseHandle 43683->43719 43720 40c7c0 CloseHandle 43683->43720 43685 40ed09 43684->43685 43699 40c7c0 CloseHandle 43684->43699 43687 40ed45 43685->43687 43700 432c00 43685->43700 43687->43670 43692 432c00 CloseHandle 43692->43687 43694 432c00 CloseHandle 43693->43694 43695 4178bb 43694->43695 43721 436580 43695->43721 43698->43679 43699->43685 43701 432c25 43700->43701 43702 40ed30 43701->43702 43742 43a9e0 CloseHandle 43701->43742 43702->43692 43704 432c45 43743 43b260 CloseHandle 43704->43743 43706 432c56 43744 43afa0 CloseHandle 43706->43744 43708 432c65 43745 43b260 CloseHandle 43708->43745 43710 432c76 43746 43b080 CloseHandle 43710->43746 43712 432c85 43747 43ac20 CloseHandle 43712->43747 43714 432c8a 43748 43aa40 CloseHandle 43714->43748 43716 432c8f 43749 438f40 CloseHandle 43716->43749 43718 432ca5 43719->43683 43720->43683 43724 436320 43721->43724 43725 43633c 43724->43725 43728 46a540 43725->43728 43727 40ec85 43727->43683 43727->43684 43729 46a5c7 43728->43729 43730 46a565 43728->43730 43731 46a520 CloseHandle 43729->43731 43730->43729 43732 46a57a 43730->43732 43733 46a5e1 43731->43733 43736 46a520 43732->43736 43733->43727 43739 46c0e0 43736->43739 43737 46a52d 43737->43727 43740 46c100 CloseHandle 43739->43740 43740->43737 43742->43704 43743->43706 43744->43708 43745->43710 43746->43712 43747->43714 43748->43716 43749->43718 43750 434e60 43751 434e6a 43750->43751 43751->43750 43772 4344a0 43751->43772 43761 434eb6 43802 434400 43761->43802 43765 434eca 43824 434940 43765->43824 43767 434ecf 43831 436400 43767->43831 43776 4344aa 43772->43776 43773 438f40 CloseHandle 43773->43776 43774 434340 CloseHandle 43774->43776 43775 436500 CloseHandle 43775->43776 43776->43772 43776->43773 43776->43774 43776->43775 43777 434770 43776->43777 43778 44df00 43777->43778 43779 44df0a 43778->43779 43779->43778 43780 436320 CloseHandle 43779->43780 43781 44df2a 43780->43781 43782 436400 CloseHandle 43781->43782 43783 44df45 43782->43783 43784 436480 CloseHandle 43783->43784 43785 44df85 43784->43785 43786 436400 CloseHandle 43785->43786 43787 434ea5 43786->43787 43788 44e060 43787->43788 43789 44e06a 43788->43789 43789->43788 43790 436480 CloseHandle 43789->43790 43791 44e097 43790->43791 43792 436480 CloseHandle 43791->43792 43793 44e0ce 43792->43793 43794 436480 CloseHandle 43793->43794 43795 434eaa 43794->43795 43796 434b00 43795->43796 43797 434b0a 43796->43797 43797->43796 43798 436580 CloseHandle 43797->43798 43799 434b3b 43798->43799 43800 436400 CloseHandle 43799->43800 43801 434b73 43799->43801 43800->43801 43837 434a40 CloseHandle 43801->43837 43804 43440a 43802->43804 43803 436480 CloseHandle 43803->43804 43804->43802 43804->43803 43805 43445b 43804->43805 43838 438f40 CloseHandle 43804->43838 43807 434ba0 43805->43807 43813 434baa 43807->43813 43809 434cce 43809->43765 43810 436320 CloseHandle 43810->43813 43813->43807 43813->43809 43813->43810 43814 434d79 43813->43814 43842 436500 43813->43842 43845 434f80 CloseHandle 43813->43845 43846 44a1e0 CloseHandle 43813->43846 43839 436700 43814->43839 43816 434db3 43817 434e10 43816->43817 43847 43a9e0 CloseHandle 43816->43847 43817->43765 43819 434df3 43848 43b260 CloseHandle 43819->43848 43821 434e05 43849 43aa40 CloseHandle 43821->43849 43823 434e0a 43823->43765 43826 43494a 43824->43826 43825 436500 CloseHandle 43829 434991 43825->43829 43826->43824 43826->43825 43827 436400 CloseHandle 43828 4349dd 43827->43828 43828->43767 43829->43827 43830 434a2b 43829->43830 43830->43767 43832 436320 CloseHandle 43831->43832 43833 434f05 43832->43833 43834 436480 43833->43834 43835 436320 CloseHandle 43834->43835 43836 434f45 43835->43836 43837->43761 43838->43804 43840 436320 CloseHandle 43839->43840 43841 436756 43840->43841 43841->43816 43843 436320 CloseHandle 43842->43843 43844 436556 43843->43844 43844->43813 43845->43813 43846->43813 43847->43819 43848->43821 43849->43823 43850 43c720 43869 43c72a 43850->43869 43869->43850 43870 43c929 43869->43870 43874 40ce80 43869->43874 43889 401a40 43869->43889 43895 435000 43869->43895 43910 44adc0 43869->43910 43926 44a540 CloseHandle 43869->43926 43927 454960 CloseHandle 43869->43927 43928 44a040 CloseHandle 43869->43928 43929 405140 CloseHandle 43869->43929 43930 43cae0 CloseHandle 43869->43930 43931 454740 CloseHandle 43869->43931 43932 461040 CloseHandle 43869->43932 43933 40b3e0 CloseHandle 43869->43933 43934 452ae0 CloseHandle 43869->43934 43935 41a9e0 CloseHandle 43869->43935 43936 44ff80 43869->43936 43945 40c560 CloseHandle 43869->43945 43946 408620 CloseHandle 43869->43946 43947 446720 CloseHandle 43869->43947 43949 438f40 CloseHandle 43869->43949 43948 40c7c0 CloseHandle 43870->43948 43873 43c937 43885 40ce8a 43874->43885 43875 43a9e0 CloseHandle 43875->43885 43876 43afa0 CloseHandle 43876->43885 43877 40cf4b 43950 428d20 43877->43950 43878 43b080 CloseHandle 43878->43885 43882 40cf5c 43887 40cfe2 43882->43887 43969 41a8a0 43882->43969 43883 43b260 CloseHandle 43883->43885 43884 43aa40 CloseHandle 43884->43885 43885->43874 43885->43875 43885->43876 43885->43877 43885->43878 43885->43883 43885->43884 43886 438f40 CloseHandle 43885->43886 43886->43885 43887->43869 43890 401a46 43889->43890 43890->43889 44381 401fe0 43890->44381 43892 401a5d 44391 401aa0 CloseHandle 43892->44391 43894 401a6c 43894->43869 43896 43500a 43895->43896 43896->43895 43897 436320 CloseHandle 43896->43897 43899 43515c 43896->43899 43908 43520b 43896->43908 44407 44f080 CloseHandle 43896->44407 44408 453be0 CloseHandle 43896->44408 43897->43896 43900 436400 CloseHandle 43899->43900 43901 435171 43900->43901 44409 466ae0 CloseHandle 43901->44409 43904 4351af 43905 436480 CloseHandle 43904->43905 43906 4351cd 43905->43906 44395 434800 43906->44395 43908->43869 43909 4351e5 43909->43869 43911 44adca 43910->43911 43911->43910 44412 408620 CloseHandle 43911->44412 43913 44ae0b 43914 40e7c0 CloseHandle 43913->43914 43915 44ae25 43914->43915 44413 464980 CloseHandle 43915->44413 43917 44ae65 44414 44b0c0 CloseHandle 43917->44414 43919 44aebe 44415 44b0c0 CloseHandle 43919->44415 43921 44aecf 44416 408620 CloseHandle 43921->44416 43923 44aefb 44417 4662e0 CloseHandle 43923->44417 43925 44af05 43925->43869 43926->43869 43927->43869 43928->43869 43929->43869 43930->43869 43931->43869 43932->43869 43933->43869 43934->43869 43935->43869 43938 44ff8a 43936->43938 43937 4178a0 CloseHandle 43937->43938 43938->43936 43938->43937 43939 450011 43938->43939 43940 438f40 CloseHandle 43938->43940 43941 40c560 CloseHandle 43938->43941 43943 40c7c0 CloseHandle 43938->43943 44418 429780 43938->44418 44424 42ab00 CloseHandle 43938->44424 43939->43869 43940->43938 43941->43938 43943->43938 43945->43869 43946->43869 43947->43869 43948->43873 43949->43869 43952 428d2a 43950->43952 43952->43950 43996 41a780 CloseHandle 43952->43996 43953 428d5e 43997 41a780 CloseHandle 43953->43997 43955 428d85 43998 41a780 CloseHandle 43955->43998 43957 428da9 43999 41a780 CloseHandle 43957->43999 43959 428dcd 44000 41a780 CloseHandle 43959->44000 43961 428df1 44001 41a780 CloseHandle 43961->44001 43963 428e15 44002 41a780 CloseHandle 43963->44002 43965 428e39 43981 42bb00 43965->43981 43968 416680 CloseHandle 43968->43882 43970 41a8aa 43969->43970 43970->43969 43971 41a8be 43970->43971 44375 43a9e0 CloseHandle 43970->44375 44376 43b260 CloseHandle 43970->44376 44377 43aa40 CloseHandle 43970->44377 44378 438f40 CloseHandle 43970->44378 43973 41a8c7 43971->43973 43974 41a917 43971->43974 43975 40ea80 CloseHandle 43971->43975 43973->43882 43976 41a947 43974->43976 44369 428ac0 43974->44369 43975->43974 43976->43882 43994 42bb0a 43981->43994 43982 42bb2a 44003 431de0 43982->44003 43984 42bb76 44007 42dfe0 43984->44007 43985 43b260 CloseHandle 43985->43994 43987 43b080 CloseHandle 43987->43994 43988 42bb85 44012 424d20 43988->44012 43990 43aa40 CloseHandle 43990->43994 43992 43a9e0 CloseHandle 43992->43994 43993 43ac20 CloseHandle 43993->43994 43994->43981 43994->43982 43994->43985 43994->43987 43994->43990 43994->43992 43994->43993 44016 438f40 CloseHandle 43994->44016 43996->43953 43997->43955 43998->43957 43999->43959 44000->43961 44001->43963 44002->43965 44005 431de6 44003->44005 44005->44003 44017 40ea80 44005->44017 44006 431e1a 44006->43984 44008 42dfea 44007->44008 44008->44007 44009 42e0e5 44008->44009 44357 417ea0 44008->44357 44364 438f40 CloseHandle 44008->44364 44009->43988 44013 424d2a 44012->44013 44013->44012 44365 42e9c0 44013->44365 44015 40cf57 44015->43968 44016->43994 44018 40ea86 44017->44018 44018->44017 44021 468940 44018->44021 44020 40eadc 44020->44006 44022 468961 44021->44022 44023 4689bf 44021->44023 44022->44023 44028 429700 44022->44028 44034 462a40 44022->44034 44038 445220 44022->44038 44023->44020 44024 468989 44024->44020 44029 429706 44028->44029 44029->44028 44030 429746 44029->44030 44080 428ea0 CloseHandle 44029->44080 44046 429b20 44030->44046 44033 42975c 44033->44024 44036 462a46 44034->44036 44036->44034 44187 43fcc0 44036->44187 44037 462a65 44037->44024 44040 445226 44038->44040 44040->44038 44286 445280 44040->44286 44043 44525a 44044 445268 44043->44044 44301 4408a0 44043->44301 44044->44024 44047 429b2f 44046->44047 44047->44046 44048 40c560 CloseHandle 44047->44048 44051 429c7d 44047->44051 44056 429cd4 44047->44056 44058 42d800 CloseHandle 44047->44058 44065 429c30 44047->44065 44081 42a3c0 44047->44081 44141 42eea0 CloseHandle 44047->44141 44142 40c7c0 CloseHandle 44047->44142 44149 438f40 CloseHandle 44047->44149 44048->44047 44050 429d3e 44144 40c7c0 CloseHandle 44050->44144 44051->44050 44117 429a20 44051->44117 44143 40c7c0 CloseHandle 44056->44143 44058->44047 44059 429ce5 44059->44033 44061 429f16 44125 42a0e0 44061->44125 44063 429f65 44064 429fb8 44063->44064 44131 417b60 44063->44131 44066 432c00 CloseHandle 44064->44066 44065->44061 44145 4240a0 CloseHandle 44065->44145 44069 429fd4 44066->44069 44072 429ff5 44069->44072 44073 432c00 CloseHandle 44069->44073 44071 432c00 CloseHandle 44071->44064 44147 432cc0 CloseHandle 44072->44147 44073->44072 44075 429ec7 44075->44061 44146 41e200 CloseHandle 44075->44146 44077 42a005 44148 432da0 CloseHandle 44077->44148 44079 42a074 44079->44033 44080->44030 44082 42a3ca 44081->44082 44082->44081 44112 42a456 44082->44112 44150 40d200 44082->44150 44085 432c00 CloseHandle 44089 42a609 44085->44089 44086 42a43f 44094 432c00 CloseHandle 44086->44094 44086->44112 44087 42a53c 44177 43a9e0 CloseHandle 44087->44177 44184 432cc0 CloseHandle 44089->44184 44090 42a565 44178 43b260 CloseHandle 44090->44178 44093 42a615 44185 432da0 CloseHandle 44093->44185 44097 42a4a6 44094->44097 44095 42a576 44179 43afa0 CloseHandle 44095->44179 44175 432cc0 CloseHandle 44097->44175 44099 42a62c 44166 42bcc0 44099->44166 44101 42a585 44180 43b260 CloseHandle 44101->44180 44103 42a4b2 44176 432da0 CloseHandle 44103->44176 44105 42a645 44105->44047 44107 42a596 44181 43afa0 CloseHandle 44107->44181 44108 42a4c9 44110 42bcc0 CloseHandle 44108->44110 44110->44112 44111 42a5a8 44182 43b260 CloseHandle 44111->44182 44112->44085 44114 42a5b9 44183 43aa40 CloseHandle 44114->44183 44116 42a5be 44116->44047 44118 429a2a 44117->44118 44118->44117 44119 429a5d 44118->44119 44123 429a45 44118->44123 44120 41a8a0 CloseHandle 44119->44120 44121 429a68 44120->44121 44121->44050 44122 429a89 44122->44050 44123->44122 44124 41a8a0 CloseHandle 44123->44124 44124->44123 44128 42a0ea 44125->44128 44127 42b680 CloseHandle 44127->44128 44128->44125 44128->44127 44129 437880 CloseHandle 44128->44129 44130 42a2eb 44128->44130 44186 4298c0 CloseHandle 44128->44186 44129->44128 44130->44063 44132 417b6a 44131->44132 44132->44131 44133 417bd3 44132->44133 44134 436580 CloseHandle 44132->44134 44135 43a9e0 CloseHandle 44132->44135 44136 43b260 CloseHandle 44132->44136 44137 43afa0 CloseHandle 44132->44137 44138 43ac20 CloseHandle 44132->44138 44139 43aa40 CloseHandle 44132->44139 44140 438f40 CloseHandle 44132->44140 44133->44071 44134->44132 44135->44132 44136->44132 44137->44132 44138->44132 44139->44132 44140->44132 44141->44047 44142->44047 44143->44059 44144->44065 44145->44075 44146->44061 44147->44077 44148->44079 44149->44047 44161 40d20f 44150->44161 44151 40d9c0 CloseHandle 44151->44161 44152 417ea0 CloseHandle 44152->44161 44153 417dc0 CloseHandle 44153->44161 44154 40d559 44154->44086 44154->44087 44155 43a9e0 CloseHandle 44155->44161 44156 41a8a0 CloseHandle 44156->44161 44157 436580 CloseHandle 44157->44161 44158 438f40 CloseHandle 44158->44161 44159 40ee40 CloseHandle 44159->44161 44160 43b260 CloseHandle 44160->44161 44161->44150 44161->44151 44161->44152 44161->44153 44161->44154 44161->44155 44161->44156 44161->44157 44161->44158 44161->44159 44161->44160 44162 43b0e0 CloseHandle 44161->44162 44163 40ea80 CloseHandle 44161->44163 44164 43ac20 CloseHandle 44161->44164 44165 43aa40 CloseHandle 44161->44165 44162->44161 44163->44161 44164->44161 44165->44161 44168 42bcca 44166->44168 44167 42e120 CloseHandle 44167->44168 44168->44166 44168->44167 44169 424e00 CloseHandle 44168->44169 44170 431c80 CloseHandle 44168->44170 44171 432060 CloseHandle 44168->44171 44172 42beec 44168->44172 44173 4178a0 CloseHandle 44168->44173 44174 438f40 CloseHandle 44168->44174 44169->44168 44170->44168 44171->44168 44172->44105 44173->44168 44174->44168 44175->44103 44176->44108 44177->44090 44178->44095 44179->44101 44180->44107 44181->44111 44182->44114 44183->44116 44184->44093 44185->44099 44186->44128 44190 43fcca 44187->44190 44189 43fdc7 44223 43fe40 44189->44223 44190->44187 44190->44189 44195 43fd52 44190->44195 44200 43f1e0 44190->44200 44240 40c560 CloseHandle 44190->44240 44243 438f40 CloseHandle 44190->44243 44192 43fdcc 44192->44037 44196 43fd89 44195->44196 44241 40c8c0 CloseHandle 44195->44241 44242 40c7c0 CloseHandle 44196->44242 44199 43fd97 44199->44037 44202 43f1ea 44200->44202 44202->44200 44248 44b560 CloseHandle 44202->44248 44203 43f20d 44204 43f23a 44203->44204 44249 4470c0 CloseHandle 44203->44249 44206 43f265 44204->44206 44250 40c560 CloseHandle 44204->44250 44244 40e7c0 44206->44244 44209 43f452 44266 40c7c0 CloseHandle 44209->44266 44210 43f271 44251 43cae0 CloseHandle 44210->44251 44212 43f252 44212->44209 44217 468940 CloseHandle 44212->44217 44265 45bcc0 CloseHandle 44212->44265 44214 43f2a5 44252 445080 44214->44252 44217->44212 44218 43f2af 44219 43f315 44218->44219 44258 447320 44218->44258 44264 44b680 CloseHandle 44219->44264 44222 43f356 44222->44190 44224 43fe4a 44223->44224 44224->44223 44225 43fee3 44224->44225 44226 43fe7c 44224->44226 44285 438f40 CloseHandle 44224->44285 44283 44b560 CloseHandle 44225->44283 44281 44b560 CloseHandle 44226->44281 44230 43fef4 44267 435c00 44230->44267 44231 43fea5 44233 46a540 CloseHandle 44231->44233 44236 43febf 44233->44236 44282 44b680 CloseHandle 44236->44282 44237 43ff0a 44237->44192 44239 43fedd 44239->44192 44240->44190 44241->44196 44242->44199 44243->44190 44246 40e7c6 44244->44246 44245 40dda0 CloseHandle 44247 40e7e5 44245->44247 44246->44244 44246->44245 44247->44210 44248->44203 44249->44204 44250->44212 44251->44214 44253 44508a 44252->44253 44253->44252 44254 40e7c0 CloseHandle 44253->44254 44255 4450a5 44254->44255 44256 468940 CloseHandle 44255->44256 44257 4450b7 44255->44257 44256->44257 44257->44218 44259 44732a 44258->44259 44259->44258 44260 447365 44259->44260 44261 45a7e0 CloseHandle 44259->44261 44262 4473c0 CloseHandle 44260->44262 44261->44260 44263 4473a5 44262->44263 44263->44219 44264->44222 44265->44212 44266->44206 44268 436680 CloseHandle 44267->44268 44269 435c35 44268->44269 44270 435c51 44269->44270 44278 435c7e 44269->44278 44271 436400 CloseHandle 44270->44271 44272 435c66 44271->44272 44284 44b680 CloseHandle 44272->44284 44273 43a9e0 CloseHandle 44273->44278 44274 40c560 CloseHandle 44274->44278 44275 43b260 CloseHandle 44275->44278 44276 43b080 CloseHandle 44276->44278 44277 43afa0 CloseHandle 44277->44278 44278->44273 44278->44274 44278->44275 44278->44276 44278->44277 44279 43aa40 CloseHandle 44278->44279 44280 438f40 CloseHandle 44278->44280 44279->44278 44280->44278 44281->44231 44282->44239 44283->44230 44284->44237 44285->44224 44292 44528a 44286->44292 44289 445080 CloseHandle 44289->44292 44290 44532f 44320 4456a0 CloseHandle 44290->44320 44291 438f40 CloseHandle 44291->44292 44292->44286 44292->44289 44292->44290 44292->44291 44316 439020 CloseHandle 44292->44316 44317 445b60 CloseHandle 44292->44317 44318 43d8c0 CloseHandle 44292->44318 44319 43c4a0 CloseHandle 44292->44319 44296 4453ae 44321 43d8c0 CloseHandle 44296->44321 44298 44555a 44300 44523f 44298->44300 44322 45aee0 CloseHandle 44298->44322 44315 449380 CloseHandle 44300->44315 44306 4408aa 44301->44306 44302 4408d5 44302->44044 44305 440968 44347 40c7c0 CloseHandle 44305->44347 44306->44301 44306->44302 44306->44305 44307 440928 44306->44307 44344 40c560 CloseHandle 44306->44344 44345 449320 CloseHandle 44306->44345 44348 438f40 CloseHandle 44306->44348 44346 40c7c0 CloseHandle 44307->44346 44311 44097b 44323 440260 44311->44323 44313 440936 44313->44044 44314 44098c 44314->44044 44315->44043 44316->44292 44317->44292 44318->44292 44319->44292 44320->44296 44321->44298 44322->44300 44337 44026a 44323->44337 44325 44036c 44352 43ca80 CloseHandle 44325->44352 44329 440371 44353 40c7c0 CloseHandle 44329->44353 44330 440404 44331 44041b 44330->44331 44355 40c7c0 CloseHandle 44330->44355 44331->44314 44332 438f40 CloseHandle 44332->44337 44334 440365 44356 40c8c0 CloseHandle 44334->44356 44336 440391 44338 43fcc0 CloseHandle 44336->44338 44337->44323 44337->44325 44337->44330 44337->44332 44337->44334 44337->44337 44349 40c560 CloseHandle 44337->44349 44350 449180 CloseHandle 44337->44350 44351 40c7c0 CloseHandle 44337->44351 44340 4403b8 44338->44340 44341 4403d2 44340->44341 44354 40c560 CloseHandle 44340->44354 44341->44314 44342 440469 44342->44314 44344->44306 44345->44306 44346->44313 44347->44311 44348->44306 44349->44337 44350->44337 44351->44337 44352->44329 44353->44336 44354->44341 44355->44331 44356->44342 44358 417eaa 44357->44358 44358->44357 44359 436580 CloseHandle 44358->44359 44360 417ee5 44359->44360 44361 417f05 44360->44361 44362 436580 CloseHandle 44360->44362 44361->44008 44363 417f45 44362->44363 44363->44008 44364->44008 44366 42e9c6 44365->44366 44366->44365 44367 417ea0 CloseHandle 44366->44367 44368 42e9e5 44367->44368 44368->44015 44370 428aca 44369->44370 44370->44369 44371 4178a0 CloseHandle 44370->44371 44372 428c1c 44370->44372 44379 417940 CloseHandle 44370->44379 44380 438f40 CloseHandle 44370->44380 44371->44370 44372->43976 44375->43970 44376->43970 44377->43970 44378->43970 44379->44370 44380->44370 44382 401fea 44381->44382 44382->44381 44383 40e7c0 CloseHandle 44382->44383 44384 401ffe 44383->44384 44387 40215b 44384->44387 44392 44f160 CloseHandle 44384->44392 44388 40236d 44387->44388 44393 44f160 CloseHandle 44387->44393 44390 40257a 44388->44390 44394 44f160 CloseHandle 44388->44394 44390->43892 44391->43894 44392->44387 44393->44388 44394->44390 44396 43480a 44395->44396 44396->44395 44397 436500 CloseHandle 44396->44397 44398 434845 44397->44398 44399 43491a 44398->44399 44410 434340 CloseHandle 44398->44410 44399->43909 44401 43487d 44402 434914 44401->44402 44411 466ae0 CloseHandle 44401->44411 44402->43909 44404 4348ba 44405 436500 CloseHandle 44404->44405 44406 4348fc 44405->44406 44406->43909 44407->43896 44408->43896 44409->43904 44410->44401 44411->44404 44412->43913 44413->43917 44414->43919 44415->43921 44416->43923 44417->43925 44420 429786 44418->44420 44419 429792 44422 429b20 CloseHandle 44419->44422 44420->44418 44420->44419 44425 438f40 CloseHandle 44420->44425 44423 429799 44422->44423 44423->43938 44424->43938 44425->44420 44426 43e8e0 44427 43e8f3 44426->44427 44432 43e960 44427->44432 44431 43e954 44434 43e96a 44432->44434 44433 43e989 44447 435da0 44433->44447 44434->44432 44434->44433 44496 438f40 CloseHandle 44434->44496 44437 43e9c5 44438 43e9dc 44437->44438 44494 43ea60 CloseHandle 44437->44494 44440 43e9fd 44438->44440 44463 4479a0 44438->44463 44441 43ea1e 44440->44441 44495 4470c0 CloseHandle 44440->44495 44480 442d40 44441->44480 44446 43eaa0 CloseHandle 44446->44431 44461 435daf 44447->44461 44448 436700 CloseHandle 44448->44461 44450 436320 CloseHandle 44450->44461 44452 43afa0 CloseHandle 44452->44461 44453 436580 CloseHandle 44453->44461 44454 436500 CloseHandle 44454->44461 44455 43a9e0 CloseHandle 44455->44461 44456 435f8c 44456->44437 44457 43b260 CloseHandle 44457->44461 44458 43ac20 CloseHandle 44458->44461 44459 43b0e0 CloseHandle 44459->44461 44460 43aa40 CloseHandle 44460->44461 44461->44447 44461->44448 44461->44450 44461->44452 44461->44453 44461->44454 44461->44455 44461->44456 44461->44457 44461->44458 44461->44459 44461->44460 44462 438f40 CloseHandle 44461->44462 44497 40c560 CloseHandle 44461->44497 44498 40c7c0 CloseHandle 44461->44498 44462->44461 44477 4479aa 44463->44477 44464 40c560 CloseHandle 44464->44477 44466 468940 CloseHandle 44466->44477 44468 46a540 CloseHandle 44468->44477 44473 434a40 CloseHandle 44473->44477 44475 447500 CloseHandle 44475->44477 44476 442a00 CloseHandle 44476->44477 44477->44463 44477->44464 44477->44466 44477->44468 44477->44473 44477->44475 44477->44476 44478 40c7c0 CloseHandle 44477->44478 44499 447f40 44477->44499 44512 447560 CloseHandle 44477->44512 44513 458ea0 CloseHandle 44477->44513 44514 40cd00 CloseHandle 44477->44514 44515 433ee0 CloseHandle 44477->44515 44516 423ae0 CloseHandle 44477->44516 44517 41acc0 CloseHandle 44477->44517 44518 448340 CloseHandle 44477->44518 44478->44477 44492 442d4a 44480->44492 44481 438f40 CloseHandle 44481->44492 44486 40c560 CloseHandle 44486->44492 44487 442f77 44489 440e00 CloseHandle 44487->44489 44488 4408a0 CloseHandle 44488->44492 44491 43e94a 44489->44491 44491->44446 44492->44480 44492->44481 44492->44486 44492->44487 44492->44488 44493 40c7c0 CloseHandle 44492->44493 44634 4409e0 44492->44634 44650 442980 44492->44650 44656 440e00 44492->44656 44666 440c60 CloseHandle 44492->44666 44667 440fc0 CloseHandle 44492->44667 44493->44492 44494->44438 44495->44441 44496->44434 44497->44461 44498->44461 44500 447f4a 44499->44500 44500->44499 44523 40c560 CloseHandle 44500->44523 44502 448047 44524 40c7c0 CloseHandle 44502->44524 44504 448055 44504->44477 44506 447f65 44506->44502 44510 447500 CloseHandle 44506->44510 44519 4482a0 44506->44519 44525 40c7c0 CloseHandle 44506->44525 44526 45b880 CloseHandle 44506->44526 44527 440540 44506->44527 44573 40c560 CloseHandle 44506->44573 44510->44506 44512->44477 44513->44477 44514->44477 44515->44477 44516->44477 44517->44477 44518->44477 44520 4482a6 44519->44520 44520->44519 44521 4482f5 44520->44521 44574 436a20 44520->44574 44521->44506 44523->44506 44524->44504 44525->44506 44526->44506 44530 44054a 44527->44530 44528 44086d 44529 440260 CloseHandle 44528->44529 44531 440876 44529->44531 44530->44527 44530->44528 44536 440596 44530->44536 44531->44506 44532 440682 44533 4406d6 44532->44533 44537 4406b5 44532->44537 44625 40c560 CloseHandle 44533->44625 44534 440614 44534->44532 44542 440673 44534->44542 44536->44534 44543 440605 44536->44543 44539 440260 CloseHandle 44537->44539 44538 4406e5 44541 4406ef 44538->44541 44557 44072f 44538->44557 44540 4406d0 44539->44540 44540->44506 44544 44071b 44541->44544 44626 40c8c0 CloseHandle 44541->44626 44545 440260 CloseHandle 44542->44545 44546 440260 CloseHandle 44543->44546 44627 40c7c0 CloseHandle 44544->44627 44549 44067c 44545->44549 44550 44060e 44546->44550 44549->44506 44550->44506 44551 440729 44551->44506 44552 440791 44553 4407a6 44552->44553 44554 44084b 44552->44554 44555 4407eb 44553->44555 44558 4407c5 44553->44558 44633 40c7c0 CloseHandle 44554->44633 44630 448fe0 CloseHandle 44555->44630 44557->44552 44628 40c8c0 CloseHandle 44557->44628 44629 40c7c0 CloseHandle 44558->44629 44559 440859 44563 440260 CloseHandle 44559->44563 44566 440867 44563->44566 44564 440825 44631 40c7c0 CloseHandle 44564->44631 44565 4407d3 44568 440260 CloseHandle 44565->44568 44566->44506 44570 4407e5 44568->44570 44569 440833 44571 440845 44569->44571 44632 442920 CloseHandle 44569->44632 44570->44506 44571->44506 44573->44506 44600 436a32 44574->44600 44575 438f40 CloseHandle 44575->44600 44576 436e45 44576->44521 44578 436a97 44614 40c7c0 CloseHandle 44578->44614 44580 436700 CloseHandle 44580->44600 44581 436aa6 44581->44521 44582 436b46 44615 40c7c0 CloseHandle 44582->44615 44584 436b55 44616 40c560 CloseHandle 44584->44616 44587 436b90 44588 436400 CloseHandle 44587->44588 44590 436bad 44588->44590 44591 436de1 44590->44591 44592 436bcd 44590->44592 44619 40c7c0 CloseHandle 44591->44619 44594 436480 CloseHandle 44592->44594 44596 436bf7 44594->44596 44617 40c7c0 CloseHandle 44596->44617 44598 436def 44601 436400 CloseHandle 44598->44601 44600->44574 44600->44575 44600->44576 44600->44578 44600->44580 44600->44582 44613 40c560 CloseHandle 44600->44613 44620 43a9e0 CloseHandle 44600->44620 44621 43b260 CloseHandle 44600->44621 44622 43afa0 CloseHandle 44600->44622 44623 43ac20 CloseHandle 44600->44623 44624 43aa40 CloseHandle 44600->44624 44602 436e0c 44601->44602 44602->44521 44604 436c17 44605 436d45 44604->44605 44618 43a520 CloseHandle 44604->44618 44607 436400 CloseHandle 44605->44607 44609 436d92 44607->44609 44608 436ced 44608->44605 44611 436480 CloseHandle 44608->44611 44610 436400 CloseHandle 44609->44610 44612 436dc5 44610->44612 44611->44605 44612->44521 44613->44600 44614->44581 44615->44584 44616->44587 44617->44604 44618->44608 44619->44598 44620->44600 44621->44600 44622->44600 44623->44600 44624->44600 44625->44538 44626->44544 44627->44551 44628->44552 44629->44565 44630->44564 44631->44569 44632->44571 44633->44559 44647 4409ea 44634->44647 44635 447320 CloseHandle 44635->44647 44637 440540 CloseHandle 44637->44647 44639 440a8a 44670 4470c0 CloseHandle 44639->44670 44641 440a9a 44641->44492 44642 43b260 CloseHandle 44642->44647 44643 43b1e0 CloseHandle 44643->44647 44644 43afa0 CloseHandle 44644->44647 44645 43ac20 CloseHandle 44645->44647 44646 43a9e0 CloseHandle 44646->44647 44647->44634 44647->44635 44647->44637 44647->44639 44647->44642 44647->44643 44647->44644 44647->44645 44647->44646 44648 43aa40 CloseHandle 44647->44648 44649 438f40 CloseHandle 44647->44649 44668 447500 CloseHandle 44647->44668 44669 40c940 CloseHandle 44647->44669 44648->44647 44649->44647 44651 442986 44650->44651 44651->44650 44652 4429b9 44651->44652 44653 438f40 CloseHandle 44651->44653 44654 4408a0 CloseHandle 44652->44654 44653->44651 44655 4429be 44654->44655 44655->44492 44657 440e0a 44656->44657 44657->44656 44659 440e39 44657->44659 44671 431120 CloseHandle 44657->44671 44672 43d8c0 CloseHandle 44659->44672 44661 440e9b 44662 440ef3 44661->44662 44673 436940 CloseHandle 44661->44673 44665 440f25 44662->44665 44674 45b040 CloseHandle 44662->44674 44665->44492 44666->44492 44667->44492 44668->44647 44669->44647 44670->44641 44671->44659 44672->44661 44673->44662 44674->44665 44675 447e60 44677 447e6a 44675->44677 44676 447ec7 44679 436480 CloseHandle 44676->44679 44677->44675 44677->44676 44681 436680 44677->44681 44680 447f1a 44679->44680 44682 436320 CloseHandle 44681->44682 44683 4366d6 44682->44683 44683->44676 44684 4510a0 44719 4510b2 44684->44719 44685 43a9e0 CloseHandle 44685->44719 44687 451426 44689 45143b 44687->44689 44746 451d60 CloseHandle 44687->44746 44688 451471 44697 4514af 44688->44697 44749 455fe0 CloseHandle 44688->44749 44690 45145e 44689->44690 44747 443800 CloseHandle 44689->44747 44748 443400 CloseHandle 44690->44748 44691 438f40 CloseHandle 44691->44719 44693 451582 44720 4515ca 44693->44720 44752 43a9e0 CloseHandle 44693->44752 44697->44693 44698 45150d 44697->44698 44750 43d8c0 CloseHandle 44698->44750 44699 43a9e0 CloseHandle 44699->44720 44702 451529 44729 450c60 44702->44729 44703 451594 44753 43b260 CloseHandle 44703->44753 44708 43b260 CloseHandle 44708->44719 44709 4515a5 44754 43afa0 CloseHandle 44709->44754 44713 451552 44714 4515b1 44755 43b260 CloseHandle 44714->44755 44716 4515c5 44756 43aa40 CloseHandle 44716->44756 44718 43aa40 CloseHandle 44718->44720 44719->44684 44719->44685 44719->44687 44719->44688 44719->44691 44719->44708 44721 43ac20 CloseHandle 44719->44721 44723 45e240 CloseHandle 44719->44723 44726 43b0e0 CloseHandle 44719->44726 44727 43aa40 CloseHandle 44719->44727 44728 43b1e0 CloseHandle 44719->44728 44759 43afa0 CloseHandle 44719->44759 44760 4551a0 CloseHandle 44719->44760 44720->44699 44720->44718 44722 43b0e0 CloseHandle 44720->44722 44724 43b260 CloseHandle 44720->44724 44757 438f40 CloseHandle 44720->44757 44758 43afa0 CloseHandle 44720->44758 44721->44719 44722->44720 44723->44719 44724->44720 44726->44719 44727->44719 44728->44719 44730 450c6f 44729->44730 44730->44729 44731 450c92 44730->44731 44732 438f40 CloseHandle 44730->44732 44733 44ff80 CloseHandle 44731->44733 44732->44730 44734 450d45 44733->44734 44736 450dba 44734->44736 44738 450ded 44734->44738 44765 438f40 CloseHandle 44734->44765 44766 450b00 CloseHandle 44736->44766 44761 45c800 CloseHandle 44738->44761 44742 450f36 44744 450f5c 44742->44744 44762 450760 CloseHandle 44742->44762 44763 45ce40 CloseHandle 44742->44763 44743 450f91 44751 43d8c0 CloseHandle 44743->44751 44764 450260 CloseHandle 44744->44764 44746->44689 44747->44690 44748->44688 44749->44697 44750->44702 44751->44713 44752->44703 44753->44709 44754->44714 44755->44716 44756->44720 44757->44720 44758->44720 44759->44719 44760->44719 44761->44742 44762->44742 44763->44742 44764->44743 44765->44736 44766->44738 44767 4688c0 44768 4688f4 44767->44768 44769 4688ef 44767->44769 44776 4431e0 44768->44776 44790 43c340 CloseHandle 44769->44790 44777 4431ea 44776->44777 44777->44776 44792 43d8c0 CloseHandle 44777->44792 44779 443238 44784 443265 44779->44784 44793 45b340 CloseHandle 44779->44793 44781 4433c7 44782 442d40 CloseHandle 44781->44782 44783 4433cc 44782->44783 44791 43c380 CloseHandle 44783->44791 44784->44781 44794 43d8c0 CloseHandle 44784->44794 44786 44335d 44789 44337b 44786->44789 44795 45b480 CloseHandle 44786->44795 44787 440e00 CloseHandle 44787->44781 44789->44787 44792->44779 44793->44784 44794->44786 44795->44789 44796 4686a0 44797 4686c0 44796->44797 44800 46f540 44797->44800 44799 468809 44803 4451a0 44800->44803 44804 4451a6 44803->44804 44804->44803 44805 468940 CloseHandle 44804->44805 44806 4451eb 44805->44806 44806->44799

                Executed Functions

                Function 00434800 Relevance: 3.8, Strings: 3, Instructions: 65COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID: .F$PowerRegisterSuspendResumeNotification$powrprof.dll
                • API String ID: 0-3322427260
                • Opcode ID: 44d24f89154824cc11c56763e591cdb9fb0a85941e7be42b470fd5cd78009dba
                • Instruction ID: 965232fd85bd776f109a5cefa4b990e4cbb4f87958703785c264029de7cc8692
                • Opcode Fuzzy Hash: 44d24f89154824cc11c56763e591cdb9fb0a85941e7be42b470fd5cd78009dba
                • Instruction Fuzzy Hash: B3213536208F84C2DA01CF11F48535BB7A5F78AB84F589116EA8C47B68DF7DD195CB00
                Function 00434940 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdd6910b81359d82a000ccbee3a73faa141a11c2b4a33abe83676cd268d41d19
                • Instruction ID: 4d277e9a38b308075dea3b40fae763119b304e4283cc0bce953b090b49828a38
                • Opcode Fuzzy Hash: cdd6910b81359d82a000ccbee3a73faa141a11c2b4a33abe83676cd268d41d19
                • Instruction Fuzzy Hash: FD215E33608B8582DA10CB21F44236BB764F399BD8F549226EE9D47B99DB3DD191CB04
                Function 0044E060 Relevance: .0, Instructions: 41COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c03ad09ada82addc91113b371987d2570bc1e40ba6c4f6888c7805d04d17258c
                • Instruction ID: 5f9b1e9abb5f0cd8c515e1f7192ac85a30b71cc5980b9a152863c510826f3cfe
                • Opcode Fuzzy Hash: c03ad09ada82addc91113b371987d2570bc1e40ba6c4f6888c7805d04d17258c
                • Instruction Fuzzy Hash: 8A110636604F89D0E600DB22F48632A7764F35AB84F458226DEAC83761DF3EC192C704
                Function 0046C0E0 Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
                • Instruction ID: 689282ddd1dccc8a133a55a2cc78a95394f348243343486b182c0238c4023206
                • Opcode Fuzzy Hash: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
                • Instruction Fuzzy Hash: 39115276601F80C1DB11CB1EE4813697374E349BE4F244216DFAD57795DB29E193CB44

                Non-executed Functions

                Function 00421420 Relevance: 7.7, Strings: 6, Instructions: 177COMMON
                Download Yara Rule
                Strings
                • runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo, xrefs: 004215E7
                • greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has, xrefs: 004216AF
                • objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfuncc, xrefs: 00421676
                • ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00421645
                • base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134, xrefs: 0042165B
                • marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 0042169E
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID: ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfuncc$runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo
                • API String ID: 0-2832768888
                • Opcode ID: 169de8a3bab8cce5d1ba203b8d2577037a4726d31b8877cf2e6c9ff4dc77fe63
                • Instruction ID: e0e71f5e75f83ecd7fb880455a270d1ff5eef260204314e596b1d4974127170c
                • Opcode Fuzzy Hash: 169de8a3bab8cce5d1ba203b8d2577037a4726d31b8877cf2e6c9ff4dc77fe63
                • Instruction Fuzzy Hash: 1161CE72704B8492DB109B12E44136EA765F79ABC4F84516BEF8E07B66CB3CC1A4C744
                Function 0040C2E0 Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                Download Yara Rule
                Strings
                • -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac, xrefs: 0040C3C5
                • runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p, xrefs: 0040C365
                • packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1Micr, xrefs: 0040C3A5
                • cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-, xrefs: 0040C385
                • lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces, xrefs: 0040C3EF
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID: -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac$ cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-$ packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1Micr$lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces$runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p
                • API String ID: 0-1621370682
                • Opcode ID: c12e68af4669c7ebffe4d4da2f85d7cbb8219f4e62b23d3ca95c3471088a8ffe
                • Instruction ID: 5a96ecf5df70063a97e93e536bc284756fc6758f0989f5118017566c94810f6f
                • Opcode Fuzzy Hash: c12e68af4669c7ebffe4d4da2f85d7cbb8219f4e62b23d3ca95c3471088a8ffe
                • Instruction Fuzzy Hash: 5E217132215B48C6DA00AB52E88136FA764F74EB84F489536EF9D07725DF3CC5118759
                Function 00421B60 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                Download Yara Rule
                Strings
                • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 00421C50
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID: gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
                • API String ID: 0-3110597650
                • Opcode ID: 95b138d9991054ec6f11f3c02461700914ddf8539f56229ea5deb5f8fc906794
                • Instruction ID: 53a844a7a84ad01774df71fa157ea2769c62a47828825314014deb0c136a16c9
                • Opcode Fuzzy Hash: 95b138d9991054ec6f11f3c02461700914ddf8539f56229ea5deb5f8fc906794
                • Instruction Fuzzy Hash: 5721F2F7B42AC443EF058F15D4803A86722E79AFD8F49A076CF4A5775ACA6CC596C304
                Function 0042C640 Relevance: .2, Instructions: 231COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 93777dd3814fc503c69b58b28e96303c24bab9db006b93a2883c99640e9c12de
                • Instruction ID: c35ce2205f4439c9bc33ee611e270b4b6524a6347d7d0b032ba3219efa3bbe4c
                • Opcode Fuzzy Hash: 93777dd3814fc503c69b58b28e96303c24bab9db006b93a2883c99640e9c12de
                • Instruction Fuzzy Hash: 54A14776718B8482DB108B26F08025AB7A1F789BD8F545226EFDD53BA9CF3CC051CB44
                Function 0042DAC0 Relevance: .2, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 00fca6ffe96d0598eb837d865953b686d33a67bbe900ba1178b2787fa9c7e443
                • Instruction ID: da070dd6bc55c889b617fafb2509f6d98ecc914ecad407ee4ca492db3da71ad9
                • Opcode Fuzzy Hash: 00fca6ffe96d0598eb837d865953b686d33a67bbe900ba1178b2787fa9c7e443
                • Instruction Fuzzy Hash: 08818E76B18B9482DB108F16F4803AAA762F79ABC4F489127EF8D57B59CB7CC091C744
                Function 0046A800 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000005.00000002.3263635448.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_5_2_400000_explorer.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a256208f17b381db6722f0ed2d02a2297ad36eb4d6491dea5391dd1c04bdc341
                • Instruction ID: d3223bdf275e84daa4910810eeb1eb334a6769f4471e182a90cf707f9c0d66b9
                • Opcode Fuzzy Hash: a256208f17b381db6722f0ed2d02a2297ad36eb4d6491dea5391dd1c04bdc341
                • Instruction Fuzzy Hash: 64C02BF0907FD218FB50C30072003413AC68F043C4D80C081C28801B25F63CD6A2472F

                Executed Functions

                Function 00007FF849001442 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000007.00000002.2100650384.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_7_2_7ff849000000_powershell.jbxd
                Similarity
                • API ID:
                • String ID: 0wBw
                • API String ID: 0-2365558896
                • Opcode ID: 22e7346dd9467f262a47fc05e893dd3ee38e56517148f11e1ed7bf15ca6918bf
                • Instruction ID: 13065ca2620ad98795189621aeca597cf854664f579b260f3f2ba0c8a153742a
                • Opcode Fuzzy Hash: 22e7346dd9467f262a47fc05e893dd3ee38e56517148f11e1ed7bf15ca6918bf
                • Instruction Fuzzy Hash: 7F51243140D7C88FD7569B28A815AA57FF0EF87310F0942DFD089C71A3D669A816CB92
                Function 00007FF84900119F Relevance: .2, Instructions: 150COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000007.00000002.2100650384.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_7_2_7ff849000000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: af28d9d3a7eefa58a1dd3ee2a65194abc80db114e3d3669c7fde54539e866d04
                • Instruction ID: 8bbd19047239bf6b043d3cf526dca4ea0af9c91844be9a0e18ac06b974513a9e
                • Opcode Fuzzy Hash: af28d9d3a7eefa58a1dd3ee2a65194abc80db114e3d3669c7fde54539e866d04
                • Instruction Fuzzy Hash: 01411522E1EAC65FEBA9EE2868566B87BE1FF55750F0801FAC04CC71C3ED18AC054352
                Function 00007FF848F333B5 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000007.00000002.2100231724.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_7_2_7ff848f30000_powershell.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                • Instruction ID: 1fde1e7c06bd8ad01fde8fdacf519f27676798cf7977af127a8e772823c5939c
                • Opcode Fuzzy Hash: 3e8110072008822f9b851662dbd92c3d0a0b45f8918f2b52d7721439382d7d88
                • Instruction Fuzzy Hash: 9501677111CB0C4FD744EF0CE451AA5B7E0FB95364F10056EE58AC3695DB36E882CB45