Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1546399
MD5:015213997f4a1fc3503b19e2356738b2
SHA1:c24933a5005cc58fdacced124f93adb74c23748b
SHA256:b674f985f144f65b754715572db0cb17c0db762eb6d5217fbb93b15433572d97
Tags:exeuser-Bitsight
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Powershell create lnk in startup
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Potentially malicious time measurement code found
Powershell creates an autostart link
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Compiles C# or VB.Net code
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1600 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 015213997F4A1FC3503B19E2356738B2)
    • conhost.exe (PID: 936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5324 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • csc.exe (PID: 6392 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" MD5: F65B029562077B648A6A5F6A1AA76A66)
      • powershell.exe (PID: 3212 cmdline: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • csc.exe (PID: 4920 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" MD5: F65B029562077B648A6A5F6A1AA76A66)
    • WerFault.exe (PID: 1136 cmdline: C:\Windows\system32\WerFault.exe -u -p 1600 -s 1060 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • csc.exe (PID: 1492 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" MD5: F65B029562077B648A6A5F6A1AA76A66)
    • conhost.exe (PID: 5412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    Process Memory Space: file.exe PID: 1600JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      Process Memory Space: file.exe PID: 1600JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
        Source: File createdAuthor: Christopher Peacock '@securepeacock', SCYTHE: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3212, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk
        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1600, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 5324, ProcessName: powershell.exe
        Sigma detected: Powershell Defender Exclusion
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1600, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 5324, ProcessName: powershell.exe
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3212, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 1600, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force, ProcessId: 5324, ProcessName: powershell.exe

        Persistence and Installation Behavior

        barindex
        Sigma detected: Powershell create lnk in startup
        Source: Process startedAuthor: Joe Security: Data: Command: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()", CommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()", CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe", ParentImage: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentProcessId: 6392, ParentProcessName: csc.exe, ProcessCommandLine: powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()", ProcessId: 3212, ProcessName: powershell.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2024-10-31T21:08:55.542812+010020229301A Network Trojan was detected4.245.163.56443192.168.2.649748TCP
        2024-10-31T21:09:16.157046+010020229301A Network Trojan was detected20.109.210.53443192.168.2.650915TCP
        2024-10-31T21:09:17.844886+010020229301A Network Trojan was detected20.109.210.53443192.168.2.650923TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: file.exeReversingLabs: Detection: 26%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: file.exeJoe Sandbox ML: detected

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 1600, type: MEMORYSTR

        Bitcoin Miner

        barindex
        Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00434800 LoadLibraryExW,5_2_00434800
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Windows.Forms.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.pdbhT source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: mscorlib.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.pdbXw7 source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.pdb0 source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdb@Y source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Core.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 4x nop then cmp rdx, rbx5_2_0040C2E0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 4x nop then cmp rdx, 40h5_2_00421420
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 4x nop then shr r10, 0Dh5_2_0042C640
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 4x nop then shr r10, 0Dh5_2_0042DAC0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 4x nop then lock or byte ptr [rdx], dil5_2_00421B60
        Source: global trafficTCP traffic: 192.168.2.6:58108 -> 185.196.10.218:9889
        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.6:49748
        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:50915
        Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.6:50923
        Source: unknownDNS traffic detected: query: 18.31.95.13.in-addr.arpa replaycode: Name error (3)
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C6753B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C574C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C574C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
        Source: powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C580F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C6753B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
        Source: powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD3469A0900_2_00007FFD3469A090
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD346950700_2_00007FFD34695070
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD3469EAC00_2_00007FFD3469EAC0
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34694F000_2_00007FFD34694F00
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD3469CFA60_2_00007FFD3469CFA6
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD3469F7690_2_00007FFD3469F769
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD3469C8070_2_00007FFD3469C807
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34692FF00_2_00007FFD34692FF0
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD346911F20_2_00007FFD346911F2
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD347601A50_2_00007FFD347601A5
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0040D2005_2_0040D200
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004405405_2_00440540
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004479A05_2_004479A0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00436A205_2_00436A20
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00429B205_2_00429B20
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00428D205_2_00428D20
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0040DDA05_2_0040DDA0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00416EE05_2_00416EE0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00401FE05_2_00401FE0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0041A0205_2_0041A020
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0044F1605_2_0044F160
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004421805_2_00442180
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0041F1A05_2_0041F1A0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0043E2205_2_0043E220
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0040A4405_2_0040A440
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0047C4605_2_0047C460
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004654205_2_00465420
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0041B4805_2_0041B480
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004524805_2_00452480
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0043A5205_2_0043A520
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0042C6405_2_0042C640
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004266205_2_00426620
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004236C05_2_004236C0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0045E7205_2_0045E720
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004337C05_2_004337C0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0043D8C05_2_0043D8C0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_004539405_2_00453940
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0040E9605_2_0040E960
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0041B9A05_2_0041B9A0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00430A405_2_00430A40
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00427A605_2_00427A60
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0044BA205_2_0044BA20
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0042DAC05_2_0042DAC0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00415AE05_2_00415AE0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00467AA95_2_00467AA9
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0042CB005_2_0042CB00
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00403BE05_2_00403BE0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0042FCC05_2_0042FCC0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00439CE05_2_00439CE0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0047CC805_2_0047CC80
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0041ADC05_2_0041ADC0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00421DE05_2_00421DE0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0042EEA05_2_0042EEA0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00440FC05_2_00440FC0
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: String function: 00438F40 appears 516 times
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: String function: 0043AA40 appears 77 times
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: String function: 00439020 appears 33 times
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: String function: 0043B260 appears 632 times
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1600 -s 1060
        Source: file.exeStatic PE information: No import functions for PE file found
        Source: file.exe, 00000000.00000000.2152120444.00000227FF196000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFuckingShit.exe8 vs file.exe
        Source: file.exe, 00000000.00000002.2593538884.00000227FF28C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
        Source: file.exeBinary or memory string: OriginalFilenameFuckingShit.exe8 vs file.exe
        Source: file.exe, .csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.spre.expl.evad.mine.winEXE@16/13@1/1
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnkJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_03
        Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1600
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvuvjwne.55f.ps1Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: C:\Windows\system32\bb65100049126d994d2ef25315bd41277d9097c15da9dbb086da9c765700914dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: file.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: file.exeReversingLabs: Detection: 26%
        Source: csc.exeString found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
        Source: csc.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
        Source: csc.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
        Source: csc.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
        Source: csc.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
        Source: csc.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
        Source: csc.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
        Source: csc.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
        Source: csc.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
        Source: csc.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
        Source: csc.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
        Source: csc.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
        Source: csc.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
        Source: csc.exeString found in binary or memory: :cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogsc
        Source: csc.exeString found in binary or memory: :cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogsc
        Source: csc.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
        Source: csc.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
        Source: csc.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
        Source: csc.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
        Source: csc.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
        Source: csc.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
        Source: csc.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
        Source: csc.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
        Source: csc.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
        Source: csc.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
        Source: csc.exeString found in binary or memory: ry/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: Virt
        Source: csc.exeString found in binary or memory: ry/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: Virt
        Source: csc.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
        Source: csc.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
        Source: csc.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
        Source: csc.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
        Source: csc.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
        Source: csc.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1600 -s 1060
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: scrrun.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
        Source: Nexus.lnk.8.drLNK file: ..\..\..\..\..\..\..\..\..\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: file.exeStatic file information: File size 6421135 > 1048576
        Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: System.Windows.Forms.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.pdbhT source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: mscorlib.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.pdbXw7 source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.pdb0 source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Windows.Forms.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.pdb@Y source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Core.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Drawing.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdbRSDS source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: Microsoft.VisualBasic.pdb source: WER13B0.tmp.dmp.11.dr
        Source: Binary string: System.Core.ni.pdb source: WER13B0.tmp.dmp.11.dr
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34696081 push ebp; retf 0008h0_2_00007FFD34696082
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34695F9C push esi; retf 0_2_00007FFD34695F9D
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD34696785 pushad ; ret 0_2_00007FFD34696786
        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FFD347601A5 push esp; retf 4810h0_2_00007FFD34760312

        Boot Survival

        barindex
        Powershell creates an autostart link
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: .lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()@{# Script module or binary module file associated with this manifest.ModuleToProcess = 'Pester.psm1'# Version number of this module.ModuleVersion = '3.4.0'# ID used to uniquely identify this moduleGUID = 'a699dea5-2c73-4616-a270-1f7abb777e71'# Author of this moduleAuthor = 'Pester Team'# Company or vendor of this moduleCompanyName = 'Pester'# Copyright statement for this moduleCopyright = 'Copyright (c) 2016 by Pester Team, licensed under Apache 2.0 License.'# Description of the functionality provided by this moduleDescription = 'Pester provides a framework for running BDD style Tests to execute and validate PowerShell commands inside of PowerShell and offers a powerful set of Mocking Functions that allow tests to mimic and mock the functionality of any command inside of a piece of powershell code being tested. Pester tests can execute any command or script that is accesible to a pester test file. This can include functions, Cmdlets, Modules and scripts. Pester can be run in ad hoc style in a console or it can be integrated into the Build scripts of a Continuous Integration system.'# Minimum version of the Windows PowerShell user required by this modulePowerShellVersion = '2.0'# Functions to export from this moduleFunctionsToExport = @( 'Describe', 'Context', 'It', 'Should', 'Mock', 'Assert-MockCalled', 'Assert-VerifiableMocks', 'New-Fixture', 'Get-TestDriveItem', 'Invoke-Pester', 'Setup', 'In', 'InModuleScope', 'Invoke-Mock', 'BeforeEach', 'AfterEach', 'BeforeAll', 'AfterAll' 'Get-MockDynamicParameters', 'Set-DynamicParameterVariables', 'Set-TestInconclusive', 'SafeGetCommand', 'New-PesterOption')# # Cmdlets to export from this module# CmdletsToExport = '*'# Variables to export from this moduleVariablesToExport = @( 'Path', 'TagFilter', 'ExcludeTagFilter', 'TestNameFilter', 'TestResult', 'CurrentContext', 'CurrentDescribe', 'CurrentTest', 'SessionState', 'CommandCoverage', 'BeforeEach', 'AfterEach', 'Strict')# # Aliases to export from this module# AliasesToExport = '*'# List of all modules packaged with this module# ModuleList = @()# List of all files packaged with this module# FileList = @()PrivateData = @{ # PSData is module packaging and gallery metadata embedded in PrivateData # It's for rebuilding PowerShellGet (and PoshCode) NuGet-style packages # We had to do this because it's the only place we're allowed to extend the manifest # https://connect.microsoft.com/PowerShell/feedback/details/421837 PSData = @{ # The primary categorization of this module (from the TechNet Gallery tech tree). Category = "Scripting Techniques" # Keyword tags to help users find this module via navigations and search. Tags = @('powershell','unit testing','bdd','tdd','mocking') # The web address of an icon which can
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnkJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnkJump to behavior

        Hooking and other Techniques for Hiding and Protection

        barindex
        Loading BitLocker PowerShell Module
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AntiVM3
        Source: Yara matchFile source: Process Memory Space: file.exe PID: 1600, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
        Source: C:\Users\user\Desktop\file.exeMemory allocated: 22781800000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory allocated: 22799940000 memory reserve | memory write watchJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0046A800 rdtscp5_2_0046A800
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8157Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1368Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3681Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 471Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3424Thread sleep count: 8157 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep count: 1368 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5712Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3184Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3608Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_00434940 GetProcessAffinityMask,GetSystemInfo,5_2_00434940
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile opened: c:\Users\user\AppData\Roaming\Jump to behavior
        Source: Amcache.hve.11.drBinary or memory string: VMware
        Source: powershell.exe, 00000008.00000002.2332295196.0000028C6F9DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}
        Source: powershell.exe, 00000008.00000002.2332295196.0000028C6F9DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\W
        Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
        Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
        Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
        Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
        Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
        Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
        Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
        Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
        Source: csc.exe, 00000005.00000002.4020311878.0000017E9BE7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: powershell.exe, 00000008.00000002.2325970305.0000028C6F55D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: War&Prod_VMware_
        Source: Amcache.hve.11.drBinary or memory string: vmci.sys
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
        Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
        Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
        Source: Amcache.hve.11.drBinary or memory string: VMware20,1
        Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
        Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
        Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
        Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
        Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
        Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
        Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
        Source: file.exe, 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
        Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
        Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
        Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
        Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

        Anti Debugging

        barindex
        Potentially malicious time measurement code found
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0046A800 Start: 0046A809 End: 0046A81F5_2_0046A800
        Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0046A800 rdtscp5_2_0046A800
        Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeCode function: 5_2_0044E060 RtlAddVectoredExceptionHandler,RtlAddVectoredContinueHandler,RtlAddVectoredContinueHandler,5_2_0044E060
        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Adds a directory exclusion to Windows Defender
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 400000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 400000 value starts with: 4D5AJump to behavior
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\Desktop\file.exeThread register set: target process: 6392Jump to behavior
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 400000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 401000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 4EE000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 600000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 699000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 6A0000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 6A1000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 6A2000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 6D3000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 6DE000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 6DF000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 739000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 76E000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 780000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 781000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 786000Jump to behavior
        Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe base: 49DB5E4010Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -ForceJump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()"Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$ws = new-object -comobject wscript.shell; $s = $ws.createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nexus.lnk'); $s.targetpath = 'c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe'; $s.save()"
        Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -command "$ws = new-object -comobject wscript.shell; $s = $ws.createshortcut('c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\nexus.lnk'); $s.targetpath = 'c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe'; $s.save()"Jump to behavior
        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Disables UAC (registry)
        Source: C:\Users\user\Desktop\file.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
        Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
        Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
        Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
        Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
        Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
        Command and Scripting Interpreter        		12
        Registry Run Keys / Startup Folder        		411
        Process Injection        		1
        Masquerading        		OS Credential Dumping131
        Security Software Discovery        		Remote Services11
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        PowerShell        		1
        DLL Side-Loading        		12
        Registry Run Keys / Startup Folder        		21
        Disable or Modify Tools        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		41
        Virtualization/Sandbox Evasion        		Security Account Manager41
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook411
        Process Injection        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
        Deobfuscate/Decode Files or Information        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
        Obfuscated Files or Information        		Cached Domain Credentials13
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546399 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 40 18.31.95.13.in-addr.arpa 2->40 44 Multi AV Scanner detection for submitted file 2->44 46 Sigma detected: Powershell create lnk in startup 2->46 48 Yara detected UAC Bypass using CMSTP 2->48 50 5 other signatures 2->50 9 file.exe 1 4 2->9         started        12 csc.exe 1 2->12         started        signatures3 process4 signatures5 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->52 54 Writes to foreign memory regions 9->54 56 Allocates memory in foreign processes 9->56 58 4 other signatures 9->58 14 csc.exe 9->14         started        18 powershell.exe 23 9->18         started        20 WerFault.exe 22 16 9->20         started        25 2 other processes 9->25 23 conhost.exe 1 12->23         started        process6 dnsIp7 42 185.196.10.218, 50919, 50967, 51008 SIMPLECARRIERCH Switzerland 14->42 60 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 14->60 62 Potentially malicious time measurement code found 14->62 27 powershell.exe 17 14->27         started        64 Powershell creates an autostart link 18->64 66 Loading BitLocker PowerShell Module 18->66 30 WmiPrvSE.exe 18->30         started        32 conhost.exe 18->32         started        36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->36 dropped file8 signatures9 process10 file11 38 C:\Users\user\AppData\Roaming\...38exus.lnk, MS 27->38 dropped 34 conhost.exe 27->34         started        process12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        file.exe26%ReversingLabsWin64.Trojan.Generic
        file.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
        https://go.micro0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        https://oneget.orgX0%URL Reputationsafe
        http://upx.sf.net0%URL Reputationsafe
        https://aka.ms/pscore680%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        https://oneget.org0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        18.31.95.13.in-addr.arpa
        		unknown
        		unknownfalse
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nuget.org/NuGet.exepowershell.exe, 00000008.00000002.2298830125.0000028C58DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C6753B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown
          http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmptrue
            		unknown
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000008.00000002.2298830125.0000028C58D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmptrue
            • URL Reputation: safe
            		unknown
            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000008.00000002.2298830125.0000028C58D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmptrue
              		unknown
              https://go.micropowershell.exe, 00000008.00000002.2298830125.0000028C580F2000.00000004.00000800.00020000.00000000.sdmptrue
              • URL Reputation: safe
              		unknown
              https://contoso.com/powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000008.00000002.2298830125.0000028C58DA5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C6753B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000008.00000002.2321964168.0000028C67671000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://oneget.orgXpowershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://upx.sf.netAmcache.hve.11.drfalse
              • URL Reputation: safe
              		unknown
              https://aka.ms/pscore68powershell.exe, 00000008.00000002.2298830125.0000028C574C1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000008.00000002.2298830125.0000028C574C1000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 00000008.00000002.2298830125.0000028C58D1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmptrue
                		unknown
                https://oneget.orgpowershell.exe, 00000008.00000002.2298830125.0000028C58B7B000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.196.10.218
                		unknownSwitzerland
                		42624SIMPLECARRIERCHfalse

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1546399
                Start date and time:2024-10-31 21:07:45 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 50s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Run name:Run with higher sleep bypass
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.spre.expl.evad.mine.winEXE@16/13@1/1
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 87%
                • Number of executed functions: 20
                • Number of non-executed functions: 7
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.168.117.173
                • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 3212 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • VT rate limit hit for: file.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                21:08:47AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.196.10.218file.exeGet hashmaliciousUnknownBrowse

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  SIMPLECARRIERCHfile.exeGet hashmaliciousUnknownBrowse
                  • 185.196.10.218
                  sipari_.exeGet hashmaliciousAgentTeslaBrowse
                  • 185.196.9.150
                  UGcjMkPWwW.exeGet hashmaliciousRHADAMANTHYSBrowse
                  • 185.196.11.237
                  x86_64.bin.elfGet hashmaliciousUnknownBrowse
                  • 185.196.10.215
                  fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
                  • 185.196.9.150
                  PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
                  • 185.196.9.150
                  IND24072113.xlsxGet hashmaliciousUnknownBrowse
                  • 185.196.10.234
                  SecuriteInfo.com.Win32.MalwareX-gen.30759.2179.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                  • 185.196.9.150
                  request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                  • 185.196.10.234

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_1c947923c97269e597942e7aece28a80f0f0d23f_edd3b515_41559515-5a2b-4554-8fce-fd8cbc9dc473\Report.wer

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):65536
                  Entropy (8bit):1.1482539230937496
                  Encrypted:false
                  SSDEEP:192:zdB6yS5vOPU0UnUg0xaWBHpcSQOIdzuiFPZ24lO8iyEB:P6hOXUnUVamHieIzuiFPY4lO8iT
                  MD5:DAF6FDB99E768C84A21EBCA0EC28F2BD
                  SHA1:206BDB3D90B6EC1A8A8187EB3EF26B7633DD4995
                  SHA-256:192F5073224BDEFB55AB14D425F2381E90CA2899595ED70CF16D3828F7EDB709
                  SHA-512:32710FB6F1246B8684C0F9A9A7DD5F5636C1D749B9AC6E382A5FE457002A5B54FE5590997DCA0023F3F2D7DD48A4902EE9BDF97FD2B007ADC2A80F21C6892ACF
                  Malicious:true
                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.8.7.8.9.2.2.2.1.1.3.2.8.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.8.7.8.9.2.3.4.1.4.4.5.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.1.5.5.9.5.1.5.-.5.a.2.b.-.4.5.5.4.-.8.f.c.e.-.f.d.8.c.b.c.9.d.c.4.7.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.4.5.d.2.3.b.-.e.8.7.0.-.4.d.f.7.-.b.9.5.a.-.8.9.4.9.d.f.5.5.a.f.8.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.u.c.k.i.n.g.S.h.i.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.6.4.0.-.0.0.0.1.-.0.0.1.5.-.5.e.b.b.-.b.8.a.c.d.0.2.b.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.3.7.a.6.c.6.3.8.f.5.6.b.c.f.2.3.e.8.5.7.0.f.c.8.f.1.1.f.3.3.0.0.0.0.0.0.0.0.!.0.0.0.0.c.2.4.9.3.3.a.5.0.0.5.c.c.5.8.f.d.a.c.c.e.d.1.2.4.f.9.3.a.d.b.7.4.c.2.3.7.4.8.b.!.f.i.l.e...e.x.e.....T.a.r.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER13B0.tmp.dmp

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:Mini DuMP crash report, 16 streams, Thu Oct 31 20:08:42 2024, 0x1205a4 type
                  Category:dropped
                  Size (bytes):453863
                  Entropy (8bit):3.3224623201852417
                  Encrypted:false
                  SSDEEP:3072:6azqdQnA1CCq+F53+vnVQ4OF//McSPJo5qMAOMKv:6imrqi3QnVQV6G5q
                  MD5:39955C167B3EFC016A93513898A95760
                  SHA1:CCEC2F73D7A3F47CD4F202771BA6ED6F05B6825C
                  SHA-256:D26312C877B6AB7F42EDDB2B268BF51B019CE6FD25063565241BF94257E28FA7
                  SHA-512:8847406279F37B3313D05B931244E5484C8BFB3CA3A6CB1DADF39AEE14DD4CAB8EF420DE7983786E0D2DEC298D90C3BB4558C06659B0C8408D58A5286ED92420
                  Malicious:false
                  Preview:MDMP..a..... .........#g............D...............d.......$...@%..........d%......dL.............l.......8...........T...........P8..............HC..........4E..............................................................................eJ.......E......Lw......................T.......@.....#g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER16ED.tmp.WERInternalMetadata.xml

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):8576
                  Entropy (8bit):3.7034432451465173
                  Encrypted:false
                  SSDEEP:192:R6l7wVeJVCyB35P6Y2DAYPgmfBKLtpr/89bYDzfSom:R6lXJVx5P6YdAgmf4LQYXf8
                  MD5:1E07F6A33D8A14D37AF8C8D53C976C40
                  SHA1:83E2BEC19704F0B76D7BF8DDBECEE6E0037B69F1
                  SHA-256:AB7DC3584C9CD76518B6FB4C4F12DBD54F96684C06B795AEBB9635EB64B9BE4E
                  SHA-512:5F64CAEA7007F9131C38EF4A124D11207CA74F8D0ECC4127128BA146F95370828BB9EADB45F91FF156F6608AEA2AD7CD2A79198116279A35E7A4893FE8BA2C97
                  Malicious:false
                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.6.0.0.<./.P.i.

                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER173C.tmp.xml

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):4729
                  Entropy (8bit):4.490953549385804
                  Encrypted:false
                  SSDEEP:48:cvIwWl8zshJg771I9/EWpW8VYeYm8M4J4DFao2yq85ZWqvShyd:uIjfzI78d7VOJc2hhhyd
                  MD5:9F096CE18D211B61A280FB385287BEDC
                  SHA1:82C5E1CDE57DCB6375FA8293A9D641E12419324E
                  SHA-256:BD1B4C2C6F2093AC7A885E29DB2C6A495B9CA2302DC4A53287D2F5089526EEDB
                  SHA-512:E4141F5B4903DF2955B1AB4B9C45415D16CCA368F276EFF20CCCBC62D7DF52FE7663F42CC3A0A091BAA233F389BC2C7F72DE8C93E253184DD43A653C074C3806
                  Malicious:false
                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="568031" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):1.1940658735648508
                  Encrypted:false
                  SSDEEP:3:NlllulNg7/l/lZ:NllUy7/
                  MD5:C2537D289A7DB67172EF4C08F96CB120
                  SHA1:95114E0682CC761B86321F0DCC5CBE9A3E89DB21
                  SHA-256:26D1A27AED70765338B4BCFEDC7C23289CFDA9A984B1A55799FB89CFAE10C3C9
                  SHA-512:B991F49ECB907FA7CFCF6121BA004C1C5156A86F508E22B76FD1E53B21B7D6C4831EFF8EBCFB2CC9CB97E44DD578B276B734CB1D3CE96355E51C4578FB227603
                  Malicious:false
                  Preview:@...e................................................@..........

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_04yxs52c.woi.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fjm5qhp.cyo.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4stnc4pu.iwx.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_monl2q3j.jvp.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvuvjwne.55f.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wbxkkdip.byd.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Dec 7 08:10:35 2019, mtime=Thu Oct 31 19:08:41 2024, atime=Sat Dec 7 08:10:35 2019, length=2759232, window=hide
                  Category:dropped
                  Size (bytes):1211
                  Entropy (8bit):4.644324339925823
                  Encrypted:false
                  SSDEEP:24:8uEzOtSck0S3R7EmyzFu+AoEj+gj3L+t2bIPqygm:8ZKScKh4mtFoE7+tETyg
                  MD5:669872F3AC2DF0F3ACE5A68DFD2BD79F
                  SHA1:7D01C90CD9AC8AC04806A8C546DB8ADF0552E81F
                  SHA-256:0CDF0F61307A1DAD6D0F54329ED128CBBF1B0C9E5FA7333AC64312A0C2293446
                  SHA-512:A5B7D10A52890C0EF301704DE2615E98C8E4A5EC15854589D2E169B1DE3BC9B1F4B3FB61F07045928DAD0F4168DF0A57359E675A0AD7F6B5302E0D719F5BC534
                  Malicious:true
                  Preview:L..................F.... ...q../...o.O..+..q../...@.*..........................P.O. .:i.....+00.../C:\...................V.1.....EW.5..Windows.@......OwH_Y......3.....................#s..W.i.n.d.o.w.s.....h.1.....DW.H..Microsoft.NET.L......O.IEW.3..............................M.i.c.r.o.s.o.f.t...N.E.T.....b.1.....CW.V..Framework64.H......O.I_Y......c......................hU.F.r.a.m.e.w.o.r.k.6.4.....`.1.....DW.H..v4.0.30319..F......O.I_Y......d.........................v.4...0...3.0.3.1.9.....V.2.@.*..ORI .csc.exe.@......ORI_Y..................p..........#..c.s.c...e.x.e.......f...............-.......e.............c].....C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe..O.....\.....\.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.M.i.c.r.o.s.o.f.t...N.E.T.\.F.r.a.m.e.w.o.r.k.6.4.\.v.4...0...3.0.3.1.9.\.c.s.c...e.x.e.........$..................C..B..g..(.#....`.......X.......899552...........hT..CrF.f4... .....Jc...-...-$..hT..CrF.f4... .....Jc...-...-$....

                  C:\Windows\appcompat\Programs\Amcache.hve

                  Download File
                  Process:C:\Windows\System32\WerFault.exe
                  File Type:MS Windows registry file, NT/2000 or above
                  Category:dropped
                  Size (bytes):1835008
                  Entropy (8bit):4.468707718973842
                  Encrypted:false
                  SSDEEP:6144:DzZfpi6ceLPx9skLmb0fdZWSP3aJG8nAgeiJRMMhA2zX4WABluuNbjDH5S:/ZHtdZWOKnMM6bFp9j4
                  MD5:5884D36C691B452D1B2FE73669483A5B
                  SHA1:6A11402503A940275C9F8FC87AFB24D31590DD19
                  SHA-256:D19110B3657F1B1883DF876E2DC9EB6AD15DDDF4B012167B55B4B488573089C6
                  SHA-512:B7B5181F2AD58B87ADD27B6C1C7F576F967348618493F022E31AFC0C3BEE1938595101530B6FBD64A5BF5003A373F214A04438819AE7A754BE29AE44CF0F0AA7
                  Malicious:false
                  Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....+..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):6.590063336946629
                  TrID:
                  • Win64 Executable Console Net Framework (206006/5) 48.58%
                  • Win64 Executable Console (202006/5) 47.64%
                  • Win64 Executable (generic) (12005/4) 2.83%
                  • Generic Win/DOS Executable (2004/3) 0.47%
                  • DOS Executable Generic (2002/1) 0.47%
                  File name:file.exe
                  File size:6'421'135 bytes
                  MD5:015213997f4a1fc3503b19e2356738b2
                  SHA1:c24933a5005cc58fdacced124f93adb74c23748b
                  SHA256:b674f985f144f65b754715572db0cb17c0db762eb6d5217fbb93b15433572d97
                  SHA512:148e3833dd853881b5e8231fca26ba947dca9f5c0e783362c9afc97c10ee4bb392c26ecab57d90bdbaae8a39bc937798a2864cbdd92ef490af674a612863ddd4
                  SSDEEP:98304:tYweRLoL6mNCxDD/JXZU44RXgYja8MTyMfHN:9eRrmkRy5pjuT/N
                  TLSH:4756335AB6974D07FC1615B6DCE232F121FC2D87B0F1964FCF16AE088A648BE2985533
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....f#g.........."...0.>'............... ....@...... ....................................`................................

                  File Icon

                  Icon Hash:00928e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x400000
                  Entrypoint Section:
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows cui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x672366A9 [Thu Oct 31 11:14:49 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:

                  Entrypoint Preview

                  Instruction
                  dec ebp
                  pop edx
                  nop
                  add byte ptr [ebx], al
                  add byte ptr [eax], al
                  add byte ptr [eax+eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5f6.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x469e0x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x273e0x280019d216850c30357756057d994f99afe6False0.62109375data6.2483582766394115IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x60000x5f60x600c49dc9dc5c1b1149f6f38bdcafe82caaFalse0.4166666666666667data4.214703724660371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x60a00x36cdata0.3938356164383562
                  RT_MANIFEST0x640c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-31T21:08:55.542812+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.649748TCP
                  2024-10-31T21:09:16.157046+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.650915TCP
                  2024-10-31T21:09:17.844886+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.109.210.53443192.168.2.650923TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 31, 2024 21:08:57.671550035 CET581089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:08:57.676517963 CET988958108185.196.10.218192.168.2.6
                  Oct 31, 2024 21:08:57.676615953 CET581089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:06.931366920 CET988958108185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:06.931421995 CET581089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:06.931566000 CET581089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:06.931905031 CET581569889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:06.936645031 CET988958108185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:06.936887980 CET988958156185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:06.936959028 CET581569889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:15.445761919 CET988958156185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:15.445904970 CET581569889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:15.446065903 CET581569889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:15.446336985 CET509199889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:15.451061964 CET988958156185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:15.451328039 CET988950919185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:15.451453924 CET509199889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:23.953516960 CET988950919185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:23.955172062 CET509199889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:23.958468914 CET509199889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:23.958770037 CET509679889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:23.963896990 CET988950919185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:23.964056015 CET988950967185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:23.964128017 CET509679889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:32.460150003 CET988950967185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:32.460340023 CET509679889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:32.460441113 CET509679889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:32.460771084 CET510089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:32.465763092 CET988950967185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:32.465770006 CET988951008185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:32.465877056 CET510089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:40.950803041 CET988951008185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:40.951216936 CET510089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:40.951493025 CET510089889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:40.951603889 CET510469889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:40.958281040 CET988951008185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:40.958415985 CET988951046185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:40.958492994 CET510469889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:49.455637932 CET988951046185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:49.455827951 CET510469889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:49.456058979 CET510469889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:49.456357956 CET510489889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:49.460830927 CET988951046185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:49.461301088 CET988951048185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:49.461426973 CET510489889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:57.956753969 CET988951048185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:57.956955910 CET510489889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:57.957372904 CET510489889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:57.958050966 CET510499889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:09:57.962114096 CET988951048185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:57.962920904 CET988951049185.196.10.218192.168.2.6
                  Oct 31, 2024 21:09:57.963037014 CET510499889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:06.455648899 CET988951049185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:06.455764055 CET510499889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:06.536083937 CET510509889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:06.536118031 CET510499889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:06.541090012 CET988951050185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:06.541179895 CET510509889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:06.541232109 CET988951049185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:15.044409990 CET988951050185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:15.044490099 CET510509889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:15.044838905 CET510529889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:15.044846058 CET510509889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:15.049607992 CET988951050185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:15.049683094 CET988951052185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:15.049937010 CET510529889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:23.921494007 CET988951052185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:23.921593904 CET510529889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:23.922002077 CET510539889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:23.922030926 CET510529889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:23.927027941 CET988951052185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:23.927041054 CET988951053185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:23.927109957 CET510539889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:32.416340113 CET988951053185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:32.416416883 CET510539889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:32.416846991 CET510549889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:32.417032957 CET510539889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:32.421726942 CET988951054185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:32.421791077 CET988951053185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:32.421808958 CET510549889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:40.907741070 CET988951054185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:40.907841921 CET510549889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:40.908026934 CET510549889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:40.908273935 CET510559889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:40.912801027 CET988951054185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:40.913079977 CET988951055185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:40.913175106 CET510559889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:49.405030966 CET988951055185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:49.405148029 CET510559889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:49.405291080 CET510559889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:49.405594110 CET510579889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:49.410021067 CET988951055185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:49.410410881 CET988951057185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:49.410511971 CET510579889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:57.909518957 CET988951057185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:57.909745932 CET510579889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:57.909801006 CET510579889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:57.910094023 CET510589889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:10:57.914832115 CET988951057185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:57.915023088 CET988951058185.196.10.218192.168.2.6
                  Oct 31, 2024 21:10:57.915090084 CET510589889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:06.770735025 CET988951058185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:06.770895958 CET510589889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:06.771174908 CET510589889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:06.771850109 CET510599889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:06.776072979 CET988951058185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:06.776751995 CET988951059185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:06.776881933 CET510599889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:15.268455029 CET988951059185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:15.268548965 CET510599889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:15.268701077 CET510599889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:15.268958092 CET510609889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:15.274722099 CET988951059185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:15.274735928 CET988951060185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:15.274828911 CET510609889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:23.780534983 CET988951060185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:23.780610085 CET510609889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:23.780769110 CET510609889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:23.781100035 CET510619889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:23.789218903 CET988951060185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:23.790026903 CET988951061185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:23.790105104 CET510619889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:32.304781914 CET988951061185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:32.304896116 CET510619889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:32.305197954 CET510619889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:32.305881977 CET510629889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:32.310492039 CET988951061185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:32.311039925 CET988951062185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:32.311165094 CET510629889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:41.438749075 CET988951062185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:41.438944101 CET510629889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:41.439182043 CET510639889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:41.439214945 CET510629889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:41.440512896 CET988951062185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:41.440567970 CET510629889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:41.441262960 CET988951062185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:41.441303968 CET510629889192.168.2.6185.196.10.218
                  Oct 31, 2024 21:11:41.448147058 CET988951062185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:41.448158979 CET988951063185.196.10.218192.168.2.6
                  Oct 31, 2024 21:11:41.448256016 CET510639889192.168.2.6185.196.10.218

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 31, 2024 21:08:56.899333000 CET53602361.1.1.1192.168.2.6
                  Oct 31, 2024 21:09:10.617266893 CET5353885162.159.36.2192.168.2.6
                  Oct 31, 2024 21:09:11.239130020 CET5677253192.168.2.61.1.1.1
                  Oct 31, 2024 21:09:11.246129990 CET53567721.1.1.1192.168.2.6

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 31, 2024 21:09:11.239130020 CET192.168.2.61.1.1.10x5fefStandard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 31, 2024 21:09:11.246129990 CET1.1.1.1192.168.2.60x5fefName error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:16:08:38
                  Start date:31/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x227ff190000
                  File size:6'421'135 bytes
                  MD5 hash:015213997F4A1FC3503B19E2356738B2
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2523983783.0000022781CC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:1
                  Start time:16:08:38
                  Start date:31/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:16:08:40
                  Start date:31/10/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\file.exe" -Force
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:16:08:40
                  Start date:31/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:16:08:41
                  Start date:31/10/2024
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                  Imagebase:0x7ff7e8ea0000
                  File size:2'759'232 bytes
                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Go lang
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:6
                  Start time:16:08:41
                  Start date:31/10/2024
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):
                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                  Imagebase:
                  File size:2'759'232 bytes
                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate
                  Has exited:false

                  General

                  Target ID:8
                  Start time:16:08:41
                  Start date:31/10/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Nexus.lnk'); $s.TargetPath = 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe'; $s.Save()"
                  Imagebase:0x7ff6e3d50000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:16:08:41
                  Start date:31/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:16:08:41
                  Start date:31/10/2024
                  Path:C:\Windows\System32\WerFault.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\WerFault.exe -u -p 1600 -s 1060
                  Imagebase:0x7ff6b93a0000
                  File size:570'736 bytes
                  MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:16:08:45
                  Start date:31/10/2024
                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Imagebase:0x7ff717f30000
                  File size:496'640 bytes
                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                  Has elevated privileges:true
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:14
                  Start time:16:08:55
                  Start date:31/10/2024
                  Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                  Imagebase:0x7ff7e8ea0000
                  File size:2'759'232 bytes
                  MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:15
                  Start time:16:08:55
                  Start date:31/10/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff66e660000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:10.7%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:0%
                    Total number of Nodes:6
                    Total number of Limit Nodes:0
                    execution_graph 17152 7ffd34690e65 17153 7ffd34690e89 FreeConsole 17152->17153 17155 7ffd34690f1e 17153->17155 17148 7ffd3469381a 17149 7ffd34693829 VirtualProtect 17148->17149 17151 7ffd3469390b 17149->17151

                    Executed Functions

                    Function 00007FFD34695070 Relevance: 8.0, Strings: 6, Instructions: 462COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 7ffd34695070-7ffd34695092 4 7ffd346950c8-7ffd346950ee 0->4 5 7ffd34695094-7ffd346950a7 0->5 7 7ffd34695366-7ffd34695399 4->7 8 7ffd346950f4-7ffd34695180 call 7ffd34694af8 4->8 5->4 16 7ffd3469539b-7ffd346953a2 7->16 17 7ffd346953a3-7ffd346953aa 7->17 44 7ffd346951e2-7ffd346951f5 8->44 16->17 18 7ffd346953ac-7ffd346953be 17->18 19 7ffd346953e0 17->19 23 7ffd346953c0-7ffd346953c2 18->23 24 7ffd346953f2-7ffd34695418 18->24 22 7ffd346953e1-7ffd346953e4 19->22 28 7ffd346953e6-7ffd346953e7 22->28 25 7ffd346953cc-7ffd346953d2 23->25 26 7ffd346953c4-7ffd346953c7 call 7ffd34694bc8 23->26 24->28 37 7ffd3469541a 24->37 25->22 30 7ffd346953d4-7ffd346953dd 25->30 26->25 32 7ffd34695434-7ffd3469544f 28->32 30->19 34 7ffd34695450-7ffd3469545a 32->34 38 7ffd3469545c 34->38 39 7ffd34695424-7ffd34695431 34->39 37->34 41 7ffd3469541c-7ffd34695421 37->41 39->32 41->39 45 7ffd346951f7-7ffd346951f9 44->45 46 7ffd34695182 44->46 48 7ffd34695252-7ffd34695265 45->48 47 7ffd34695183-7ffd346951ae call 7ffd34694cf0 * 2 call 7ffd34694cf8 46->47 74 7ffd346951b0-7ffd346951d9 47->74 49 7ffd34695267-7ffd34695269 48->49 50 7ffd346951fb-7ffd34695250 call 7ffd34694cf0 * 2 call 7ffd34690258 48->50 52 7ffd3469530e-7ffd34695321 49->52 50->48 56 7ffd34695327-7ffd34695365 52->56 57 7ffd3469526e-7ffd346952a0 call 7ffd34694cf0 52->57 68 7ffd346952ba-7ffd346952bb 57->68 69 7ffd346952a2-7ffd346952b8 57->69 73 7ffd346952bd-7ffd34695307 call 7ffd34692ff0 call 7ffd34694bd0 68->73 69->73 81 7ffd3469530c 73->81 82 7ffd346951e0 74->82 81->52 82->44
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: fish$h3r4$pTr4$xIr4$Hr4$eW4
                    • API String ID: 0-1040222444
                    • Opcode ID: 2dc3c57ff8323206c31588502f7aea74b87c72c8bbef81a594b31d51823a567a
                    • Instruction ID: fff6d3ba092a0c911c0035b2e23e08c3521f42223670c4b37c5a5f5de0390c9c
                    • Opcode Fuzzy Hash: 2dc3c57ff8323206c31588502f7aea74b87c72c8bbef81a594b31d51823a567a
                    • Instruction Fuzzy Hash: 7AD13832B1CB5A4FE79CAF2894B51F973D1EF96314B04017ED58BC7292DE5CA8029781
                    Function 00007FFD3469F769 Relevance: 7.9, Strings: 5, Instructions: 1665COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: DK_H$X7u4$pXu4$pXu4$)r4
                    • API String ID: 0-66872347
                    • Opcode ID: ec7593750a20016501f1e65bbc8efece53d06596c4f15dc58f853cf906507026
                    • Instruction ID: 129c10e4cfdc6ed867e0bd040067fbb012ac29676e3a9d99ec5e4789b7006583
                    • Opcode Fuzzy Hash: ec7593750a20016501f1e65bbc8efece53d06596c4f15dc58f853cf906507026
                    • Instruction Fuzzy Hash: 6EB2553060DB994FE759DF28C4A14B5B7E1FF96301B0445BEE48AC72A6DE38E846C781
                    Function 00007FFD3469CFA6 Relevance: 3.5, Strings: 2, Instructions: 987COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 514 7ffd3469cfa6-7ffd3469cfa7 515 7ffd3469cfa9-7ffd3469cfba 514->515 516 7ffd3469cfdd 514->516 519 7ffd3469cfbc-7ffd3469cfc1 515->519 520 7ffd3469d02b-7ffd3469d03e 515->520 518 7ffd3469cfe3-7ffd3469cffb 516->518 524 7ffd3469d042-7ffd3469d050 519->524 525 7ffd3469cfc3-7ffd3469cfdb 519->525 522 7ffd3469d040-7ffd3469d041 520->522 523 7ffd3469d052-7ffd3469d05e 520->523 522->524 527 7ffd3469d060-7ffd3469d070 523->527 528 7ffd3469d072-7ffd3469d07e 523->528 530 7ffd3469d08e-7ffd3469d097 524->530 525->516 527->530 528->530 531 7ffd3469d080-7ffd3469d08b 528->531 532 7ffd3469d108-7ffd3469d115 530->532 533 7ffd3469d099-7ffd3469d09b 530->533 531->530 534 7ffd3469d117-7ffd3469d12a 532->534 533->534 535 7ffd3469d09d 533->535 536 7ffd3469d131-7ffd3469d163 call 7ffd3469bcc0 call 7ffd34697fc0 534->536 537 7ffd3469d12c call 7ffd3469bcc0 534->537 538 7ffd3469d09f-7ffd3469d0b7 call 7ffd34698360 535->538 539 7ffd3469d0e3-7ffd3469d107 535->539 541 7ffd3469d269-7ffd3469d28a 536->541 552 7ffd3469d169-7ffd3469d1b2 536->552 537->536 538->539 539->541 542 7ffd3469d10d-7ffd3469d12c call 7ffd3469bcc0 539->542 553 7ffd3469d28c-7ffd3469d29a 541->553 554 7ffd3469d2c0-7ffd3469d2c7 541->554 542->536 565 7ffd3469d1b4-7ffd3469d1e6 call 7ffd34698360 552->565 566 7ffd3469d233-7ffd3469d23f 552->566 559 7ffd3469d29c-7ffd3469d2ba 553->559 560 7ffd3469d2e4-7ffd3469d326 call 7ffd3469bcc0 * 2 call 7ffd34697fc0 553->560 561 7ffd3469d45e-7ffd3469d4b3 554->561 562 7ffd3469d2cd-7ffd3469d2e3 554->562 559->554 560->561 582 7ffd3469d32c-7ffd3469d34a 560->582 583 7ffd3469d586-7ffd3469d591 561->583 584 7ffd3469d4b9-7ffd3469d50e call 7ffd3469bcc0 * 2 call 7ffd34697fc0 561->584 562->560 565->541 575 7ffd3469d1ec-7ffd3469d230 call 7ffd3469c690 565->575 566->541 570 7ffd3469d241-7ffd3469d268 566->570 575->566 582->561 585 7ffd3469d350-7ffd3469d36a 582->585 595 7ffd3469d596-7ffd3469d5aa 583->595 596 7ffd3469d593-7ffd3469d595 583->596 584->583 622 7ffd3469d510-7ffd3469d53b 584->622 587 7ffd3469d36c-7ffd3469d36f 585->587 588 7ffd3469d3c3 585->588 592 7ffd3469d3f0-7ffd3469d432 call 7ffd3469c690 587->592 593 7ffd3469d371-7ffd3469d38a 587->593 589 7ffd3469d3c5-7ffd3469d3ca 588->589 590 7ffd3469d434 588->590 597 7ffd3469d3cc-7ffd3469d3eb call 7ffd34698360 589->597 598 7ffd3469d44b-7ffd3469d45d 589->598 590->561 601 7ffd3469d436-7ffd3469d449 590->601 592->590 602 7ffd3469d3a5-7ffd3469d3b7 593->602 603 7ffd3469d38c-7ffd3469d3a3 593->603 604 7ffd3469d5ac-7ffd3469d5db 595->604 605 7ffd3469d5e0-7ffd3469d5e6 595->605 596->595 597->592 601->598 609 7ffd3469d3bb-7ffd3469d3c1 602->609 603->609 615 7ffd3469d665-7ffd3469d677 604->615 616 7ffd3469d5e1-7ffd3469d5fd call 7ffd3469bcc0 604->616 612 7ffd3469d5e8-7ffd3469d5e9 605->612 613 7ffd3469d5ec-7ffd3469d5fb 605->613 609->588 612->613 617 7ffd3469d602-7ffd3469d621 call 7ffd34697fc0 613->617 618 7ffd3469d5fd call 7ffd3469bcc0 613->618 627 7ffd3469d6b9 615->627 628 7ffd3469d679-7ffd3469d6b7 615->628 616->617 617->615 629 7ffd3469d623-7ffd3469d664 call 7ffd34699bf0 617->629 618->617 625 7ffd3469d57a-7ffd3469d585 622->625 626 7ffd3469d53d-7ffd3469d54f 622->626 626->583 630 7ffd3469d551-7ffd3469d577 626->630 632 7ffd3469d709-7ffd3469d72e 627->632 633 7ffd3469d6bb-7ffd3469d708 call 7ffd34698f50 627->633 628->627 630->625 644 7ffd3469d829-7ffd3469d833 632->644 633->632 646 7ffd3469d839-7ffd3469d83f 644->646 647 7ffd3469d733-7ffd3469d73e 644->647 648 7ffd3469d840 647->648 649 7ffd3469d744-7ffd3469d78d 647->649 651 7ffd3469d842-7ffd3469d85a 648->651 658 7ffd3469d7aa-7ffd3469d7ac 649->658 659 7ffd3469d78f-7ffd3469d7a8 649->659 653 7ffd3469d85c-7ffd3469d887 651->653 654 7ffd3469d890-7ffd3469d8c7 651->654 661 7ffd3469d7af-7ffd3469d7bc 658->661 659->661 663 7ffd3469d7be-7ffd3469d7da 661->663 664 7ffd3469d821-7ffd3469d826 661->664 663->651 667 7ffd3469d7dc-7ffd3469d81c call 7ffd3469a460 663->667 664->644 667->664
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: ({u4$#hK
                    • API String ID: 0-898385496
                    • Opcode ID: adff3416145c54f239f22f73d44e5a079eeecf84b7a298d08dce8f5de4f59c61
                    • Instruction ID: d2d7fc86c51338f40a294c055b55a5073134dcd12584c32877893e9abd0d3fe8
                    • Opcode Fuzzy Hash: adff3416145c54f239f22f73d44e5a079eeecf84b7a298d08dce8f5de4f59c61
                    • Instruction Fuzzy Hash: BC621871A0CB594FE749DF28C8A54B5BBE1FF96305B1445BED18AC72A3DA38E842C740
                    Function 00007FFD347601A5 Relevance: 3.3, Strings: 1, Instructions: 2045COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2598674457.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34760000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: A
                    • API String ID: 0-3554254475
                    • Opcode ID: ab61b85365860824867ff7d135111568804902ed71980f02c09287a5fdadfe94
                    • Instruction ID: 8d44217773dbccfbbec95cc244cc030da925e0c96dc3bd471f8c09626d30d695
                    • Opcode Fuzzy Hash: ab61b85365860824867ff7d135111568804902ed71980f02c09287a5fdadfe94
                    • Instruction Fuzzy Hash: 37E229B2A0D7C58FEB56DB2888A55A47BE1EF57310F0805FEC589CB193DA2C7806C781
                    Function 00007FFD3469EAC0 Relevance: 3.2, Strings: 2, Instructions: 722COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1015 7ffd3469eac0-7ffd3469eacc 1016 7ffd3469eb16-7ffd3469eb39 call 7ffd34694e50 1015->1016 1017 7ffd3469eace-7ffd3469eaff 1015->1017 1032 7ffd3469f0aa-7ffd3469f0b3 1016->1032 1020 7ffd3469eb3e-7ffd3469eb4e 1017->1020 1021 7ffd3469eb01-7ffd3469eb14 1017->1021 1027 7ffd3469ef0c-7ffd3469ef12 1020->1027 1028 7ffd3469eb54-7ffd3469eb69 1020->1028 1021->1016 1029 7ffd3469ef25-7ffd3469ef30 1027->1029 1030 7ffd3469ef14-7ffd3469ef24 1027->1030 1028->1027 1034 7ffd3469ef32-7ffd3469ef39 1029->1034 1035 7ffd3469ef61-7ffd3469ef67 1029->1035 1030->1029 1040 7ffd3469f0b9-7ffd3469f0ba 1032->1040 1036 7ffd3469ef3b-7ffd3469ef3e 1034->1036 1037 7ffd3469ef92 1034->1037 1038 7ffd3469ef7a-7ffd3469ef85 1035->1038 1039 7ffd3469ef69-7ffd3469ef79 1035->1039 1043 7ffd3469ef40-7ffd3469ef43 1036->1043 1044 7ffd3469efbf-7ffd3469efc1 1036->1044 1041 7ffd3469f00e-7ffd3469f013 1037->1041 1042 7ffd3469ef93 1037->1042 1059 7ffd3469ef87-7ffd3469ef8e 1038->1059 1060 7ffd3469efd3-7ffd3469efd9 1038->1060 1039->1038 1046 7ffd3469f0bc-7ffd3469f0c6 1040->1046 1047 7ffd3469f014-7ffd3469f015 1041->1047 1042->1047 1048 7ffd3469ef94 1042->1048 1050 7ffd3469f03d-7ffd3469f040 1044->1050 1051 7ffd3469efc2 1044->1051 1055 7ffd3469f017-7ffd3469f028 1047->1055 1056 7ffd3469f029-7ffd3469f032 1047->1056 1053 7ffd3469ef95-7ffd3469ef97 1048->1053 1054 7ffd3469ef98-7ffd3469efbc 1048->1054 1050->1032 1057 7ffd3469f033-7ffd3469f034 1051->1057 1058 7ffd3469efc3-7ffd3469efc9 1051->1058 1053->1054 1054->1044 1055->1056 1056->1057 1071 7ffd3469f0a5 1057->1071 1072 7ffd3469f035-7ffd3469f03b 1057->1072 1063 7ffd3469f04a-7ffd3469f057 1058->1063 1064 7ffd3469efcb-7ffd3469efce 1058->1064 1068 7ffd3469efe7-7ffd3469efeb 1059->1068 1069 7ffd3469ef90 1059->1069 1066 7ffd3469efec-7ffd3469eff7 1060->1066 1067 7ffd3469efdb-7ffd3469efe4 1060->1067 1080 7ffd3469f088-7ffd3469f08f 1063->1080 1081 7ffd3469f059-7ffd3469f060 1063->1081 1064->1032 1078 7ffd3469eff9-7ffd3469f000 1066->1078 1079 7ffd3469f042-7ffd3469f049 1066->1079 1067->1068 1068->1066 1069->1037 1076 7ffd3469f126-7ffd3469f12c 1071->1076 1077 7ffd3469f0a7-7ffd3469f0a8 1071->1077 1072->1046 1072->1050 1082 7ffd3469f176-7ffd3469f1b3 call 7ffd3469bcc0 call 7ffd3469de20 1076->1082 1083 7ffd3469f12e-7ffd3469f159 1076->1083 1077->1032 1078->1081 1084 7ffd3469f002-7ffd3469f005 1078->1084 1079->1063 1086 7ffd3469f0e8-7ffd3469f0fd 1080->1086 1087 7ffd3469f091-7ffd3469f0a3 1080->1087 1081->1040 1085 7ffd3469f062-7ffd3469f065 1081->1085 1112 7ffd3469f1b5-7ffd3469f1bb 1082->1112 1113 7ffd3469f22d-7ffd3469f240 1082->1113 1088 7ffd3469f385-7ffd3469f391 1083->1088 1089 7ffd3469f15f-7ffd3469f172 1083->1089 1092 7ffd3469f086 1084->1092 1093 7ffd3469f007-7ffd3469f00c 1084->1093 1094 7ffd3469f0e6-7ffd3469f0e7 1085->1094 1095 7ffd3469f067-7ffd3469f06a 1085->1095 1100 7ffd3469f105 1086->1100 1101 7ffd3469f0ff 1086->1101 1087->1071 1104 7ffd3469f399 1088->1104 1105 7ffd3469f393 1088->1105 1089->1082 1092->1032 1093->1041 1094->1086 1095->1092 1106 7ffd3469f107 1100->1106 1107 7ffd3469f109-7ffd3469f125 1100->1107 1101->1100 1109 7ffd3469f39b 1104->1109 1110 7ffd3469f39d-7ffd3469f3ae 1104->1110 1105->1104 1106->1107 1107->1076 1109->1110 1114 7ffd3469f3dd-7ffd3469f3e4 1109->1114 1115 7ffd3469f3cf-7ffd3469f3d3 1110->1115 1116 7ffd3469f1d7-7ffd3469f20d 1112->1116 1117 7ffd3469f1bd-7ffd3469f1ca 1112->1117 1124 7ffd3469f241-7ffd3469f24a 1113->1124 1129 7ffd3469f3e6 1114->1129 1118 7ffd3469f3d5-7ffd3469f3dc 1115->1118 1119 7ffd3469f3e7-7ffd3469f416 1115->1119 1116->1124 1152 7ffd3469f20f-7ffd3469f228 call 7ffd3469a030 1116->1152 1117->1116 1126 7ffd3469f1cc-7ffd3469f1d5 1117->1126 1118->1114 1157 7ffd3469f41d-7ffd3469f427 1119->1157 1127 7ffd3469f24c-7ffd3469f252 1124->1127 1128 7ffd3469f2c4-7ffd3469f2e1 1124->1128 1126->1116 1133 7ffd3469f26e-7ffd3469f2bf call 7ffd3469a030 1127->1133 1134 7ffd3469f254-7ffd3469f261 1127->1134 1136 7ffd3469f356-7ffd3469f35e 1128->1136 1137 7ffd3469f2e3-7ffd3469f2e9 1128->1137 1129->1119 1133->1136 1134->1133 1141 7ffd3469f263-7ffd3469f26c 1134->1141 1136->1115 1144 7ffd3469f360-7ffd3469f365 1136->1144 1142 7ffd3469f305-7ffd3469f337 1137->1142 1143 7ffd3469f2eb-7ffd3469f2f8 1137->1143 1141->1133 1168 7ffd3469f339-7ffd3469f345 call 7ffd3469a030 1142->1168 1143->1142 1154 7ffd3469f2fa-7ffd3469f303 1143->1154 1144->1129 1149 7ffd3469f367-7ffd3469f384 call 7ffd34698360 1144->1149 1152->1136 1154->1142 1164 7ffd3469f430-7ffd3469f47d 1157->1164 1173 7ffd3469f34a-7ffd3469f352 1168->1173 1173->1136
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: hYu4$pXu4
                    • API String ID: 0-609045150
                    • Opcode ID: dd1b00ad0469349ef727cbdff40ef67526bfcecb35960a61f8d2f7ff93e916e4
                    • Instruction ID: 6133ea3312838fc47a959522f42a4bc6996e3d22cb9b18f9eb655922096f0cf6
                    • Opcode Fuzzy Hash: dd1b00ad0469349ef727cbdff40ef67526bfcecb35960a61f8d2f7ff93e916e4
                    • Instruction Fuzzy Hash: 97222432B0DA5A0FE7ACDE2884B56B937D5FF96310B0501BED58EC72D2DD5CA8069381
                    Function 00007FFD34692FF0 Relevance: 2.0, Strings: 1, Instructions: 732COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1802 7ffd34692ff0-7ffd34695561 call 7ffd34695420 1809 7ffd34695584-7ffd34695593 1802->1809 1810 7ffd34695595-7ffd346955af call 7ffd34695420 call 7ffd34695470 1809->1810 1811 7ffd34695563-7ffd34695579 call 7ffd34695420 call 7ffd34695470 1809->1811 1820 7ffd3469557b-7ffd34695582 1811->1820 1821 7ffd346955b0-7ffd34695600 1811->1821 1820->1809 1825 7ffd3469560c-7ffd34695643 1821->1825 1826 7ffd34695602-7ffd34695607 call 7ffd34694bc8 1821->1826 1829 7ffd34695649-7ffd34695654 1825->1829 1830 7ffd3469583f-7ffd346958a9 1825->1830 1826->1825 1831 7ffd34695656-7ffd34695664 1829->1831 1832 7ffd346956c8-7ffd346956cd 1829->1832 1863 7ffd346958c6-7ffd346958f0 1830->1863 1864 7ffd346958aa 1830->1864 1831->1830 1833 7ffd3469566a-7ffd34695679 1831->1833 1834 7ffd346956cf-7ffd346956db 1832->1834 1835 7ffd34695740-7ffd3469574a 1832->1835 1837 7ffd3469567b-7ffd346956ab 1833->1837 1838 7ffd346956ad-7ffd346956b8 1833->1838 1834->1830 1841 7ffd346956e1-7ffd346956f4 1834->1841 1839 7ffd3469576c-7ffd34695774 1835->1839 1840 7ffd3469574c-7ffd34695759 call 7ffd34694be8 1835->1840 1837->1838 1847 7ffd346956f9-7ffd346956fc 1837->1847 1838->1830 1844 7ffd346956be-7ffd346956c6 1838->1844 1845 7ffd34695777-7ffd34695782 1839->1845 1855 7ffd3469575e-7ffd3469576a 1840->1855 1841->1845 1844->1831 1844->1832 1845->1830 1849 7ffd34695788-7ffd34695798 1845->1849 1852 7ffd346956fe-7ffd3469570e 1847->1852 1853 7ffd34695712-7ffd3469571a 1847->1853 1849->1830 1854 7ffd3469579e-7ffd346957ab 1849->1854 1852->1853 1853->1830 1857 7ffd34695720-7ffd3469573f 1853->1857 1854->1830 1856 7ffd346957b1-7ffd346957d1 1854->1856 1855->1839 1856->1830 1865 7ffd346957d3-7ffd346957e2 1856->1865 1866 7ffd346958ab-7ffd346958b1 1864->1866 1868 7ffd3469582d-7ffd3469583e 1865->1868 1869 7ffd346957e4-7ffd346957ef 1865->1869 1870 7ffd346958f1-7ffd3469590a 1866->1870 1871 7ffd346958b3-7ffd346958c4 1866->1871 1869->1868 1874 7ffd346957f1-7ffd34695828 call 7ffd34694be8 1869->1874 1878 7ffd3469590c-7ffd3469593f 1870->1878 1879 7ffd34695940 1870->1879 1871->1863 1871->1866 1874->1868 1878->1879 1882 7ffd3469594a-7ffd34695957 1879->1882 1883 7ffd34695942-7ffd34695945 1879->1883 1884 7ffd34695947-7ffd34695948 1882->1884 1885 7ffd34695959-7ffd34695991 1882->1885 1883->1884 1883->1885 1884->1882 1890 7ffd346959e8-7ffd346959ef 1885->1890 1891 7ffd34695993-7ffd34695999 1885->1891 1893 7ffd346959f1-7ffd346959f2 1890->1893 1894 7ffd34695a32-7ffd34695a5b 1890->1894 1891->1890 1892 7ffd3469599b-7ffd3469599c 1891->1892 1895 7ffd3469599f-7ffd346959a2 1892->1895 1896 7ffd346959f5-7ffd346959f8 1893->1896 1898 7ffd34695a5c-7ffd34695a71 1895->1898 1900 7ffd346959a8-7ffd346959b5 1895->1900 1897 7ffd346959fa-7ffd34695a0b 1896->1897 1896->1898 1901 7ffd34695a29-7ffd34695a30 1897->1901 1902 7ffd34695a0d-7ffd34695a13 1897->1902 1909 7ffd34695a7b-7ffd34695b01 1898->1909 1910 7ffd34695a73-7ffd34695a7a 1898->1910 1903 7ffd346959b7-7ffd346959de 1900->1903 1904 7ffd346959e1-7ffd346959e6 1900->1904 1901->1894 1901->1896 1902->1898 1905 7ffd34695a15-7ffd34695a25 1902->1905 1903->1904 1904->1890 1904->1895 1905->1901 1910->1909
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: d
                    • API String ID: 0-2564639436
                    • Opcode ID: d904599a804b1cf31ca96aa3242bb6b94b986c7ad0dc7cbf5c34176049b2c209
                    • Instruction ID: 4631ea11cc15fe14d35bd5cc386357191392ba22deeb6736410de0c07db5271c
                    • Opcode Fuzzy Hash: d904599a804b1cf31ca96aa3242bb6b94b986c7ad0dc7cbf5c34176049b2c209
                    • Instruction Fuzzy Hash: FF224232B1DA990FE798DF2898E15B177D0EF56314B1442BAD58EC7197EE28E843C780
                    Function 00007FFD34694F00 Relevance: 1.3, Instructions: 1302COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b59064a029408e3ae51dbca3c37bd9cd78d9d790cb61fba5cfd6a1aa672a3e1
                    • Instruction ID: d2b2be9b670f004976d9d5e9eae07b1532d0f0a54eef99a27d35304332a1d5b5
                    • Opcode Fuzzy Hash: 8b59064a029408e3ae51dbca3c37bd9cd78d9d790cb61fba5cfd6a1aa672a3e1
                    • Instruction Fuzzy Hash: C49256B1A2DA964FE7A98F1484A16F577D1EF92310F0441BDD28ECB5D3DE2CA845C780
                    Function 00007FFD3469A090 Relevance: .9, Instructions: 867COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 78f992007485ff58fe79f6810275eb2f71e47f869394680b063ed9902ee9f64f
                    • Instruction ID: 5df60884e252bea94300f02a5760dbc3d64d7f90ffff8efb315f28990595d0d6
                    • Opcode Fuzzy Hash: 78f992007485ff58fe79f6810275eb2f71e47f869394680b063ed9902ee9f64f
                    • Instruction Fuzzy Hash: 2C42C930B08A594FDB68DF28D4A5AB977E1FF5A301F14017EE08EC72D2DE68AC429741
                    Function 00007FFD3469C807 Relevance: .4, Instructions: 425COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 74fe1075cb6a20800bab452a8c8c86e5644cdbfcecb1669e094c8014615a4f91
                    • Instruction ID: 94ce6b079df217d56083174b4e589b5904fe6cb03c2d23096fd18c674e714225
                    • Opcode Fuzzy Hash: 74fe1075cb6a20800bab452a8c8c86e5644cdbfcecb1669e094c8014615a4f91
                    • Instruction Fuzzy Hash: 4BD1473160CB964FE319CF2984A11B177E2FFD2301B1486BED5CAC72A6DE78A442D781
                    Function 00007FFD3469381A Relevance: 1.6, APIs: 1, Instructions: 143memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: a10f457844c780184dacd83db4bbb07ec7ee4cd974bb2d6dac7fac0eeb4a961a
                    • Instruction ID: 21d1de3eea4e3ee80d42f33fd400c29a2de713c32a7d29bbc2b0f4d3c75496a7
                    • Opcode Fuzzy Hash: a10f457844c780184dacd83db4bbb07ec7ee4cd974bb2d6dac7fac0eeb4a961a
                    • Instruction Fuzzy Hash: A9412B3190C7884FDB199BA898566F97FE0EF96321F0443AFD089D3193DB786846C792
                    Function 00007FFD34690E65 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID: ConsoleFree
                    • String ID:
                    • API String ID: 771614528-0
                    • Opcode ID: 9df1e23430c3836f0bd28f8de9f67e96d7ba11fb97958779738b1dced5c5d4be
                    • Instruction ID: 12f287055a2d0d1900401423e9c44d1c2815c04892b83d390eb1491547cb0981
                    • Opcode Fuzzy Hash: 9df1e23430c3836f0bd28f8de9f67e96d7ba11fb97958779738b1dced5c5d4be
                    • Instruction Fuzzy Hash: 9A31C33090DB888FDB1ADBA8D855AEA7FF0EF56320F04419FD089C7563D6646849CB52
                    Function 00007FFD347610ED Relevance: .2, Instructions: 242COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2598674457.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34760000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5386898f64184a33df4407eed73e4f55a749f4786e335bbc5f5556b07f2540d7
                    • Instruction ID: ccbe2924a9e4b39f03530e16bcce5ea2ab607b4b9dbbc9b7e0a6cb422b55a7b9
                    • Opcode Fuzzy Hash: 5386898f64184a33df4407eed73e4f55a749f4786e335bbc5f5556b07f2540d7
                    • Instruction Fuzzy Hash: 32710671A0DB898FEB96DB6888B95A57BE1EF56314B0504FBC0CAC7593DE1CB801C781
                    Function 00007FFD34761210 Relevance: .1, Instructions: 117COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2598674457.00007FFD34760000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34760000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34760000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 13b457dff99052ecc2687c93b5cefe12ebd6ac4eefb08ae6eccfb16697e07578
                    • Instruction ID: be7f799f3014632ebeaf955a0b3c755e7022ee3f4073c964b5035afcea164c7b
                    • Opcode Fuzzy Hash: 13b457dff99052ecc2687c93b5cefe12ebd6ac4eefb08ae6eccfb16697e07578
                    • Instruction Fuzzy Hash: 08312372B08A4D8FEF95DF18C8AA4B8B7E2FF55310B04057AD18AD7595DE28B801C7C0

                    Non-executed Functions

                    Function 00007FFD346911F2 Relevance: .1, Instructions: 121COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2597186150.00007FFD34690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34690000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ffd34690000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c3d17fa20ffa1ebc3a758263925440aab82445048e267b8c0528a5b9ed450d75
                    • Instruction ID: 140142652be17de656a1fbbe52a5c9f4407f2f3ebda1df589e3ddb7853220dbc
                    • Opcode Fuzzy Hash: c3d17fa20ffa1ebc3a758263925440aab82445048e267b8c0528a5b9ed450d75
                    • Instruction Fuzzy Hash: 9A31BC27B4CA624ADA163AFCF4120FBB714DFD633A748467BD1C8A90638D15208A8AD5

                    Execution Graph

                    Execution Coverage:1.2%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:3%
                    Total number of Nodes:846
                    Total number of Limit Nodes:69
                    execution_graph 43668 40eb40 43669 40eb46 43668->43669 43669->43668 43672 40eb80 43669->43672 43671 40eb68 43674 40eb8a 43672->43674 43673 40ebc5 43675 40ebd6 43673->43675 43676 40ec9b 43673->43676 43674->43672 43674->43673 43681 438f40 CreateFileW 43674->43681 43679 40ec0a 43675->43679 43699 40c560 CreateFileW 43675->43699 43677 4178a0 CreateFileW 43676->43677 43678 40eca5 43677->43678 43678->43671 43685 40ec96 43679->43685 43694 4178a0 43679->43694 43681->43674 43684 40edb0 43720 438f40 CreateFileW 43684->43720 43721 40c7c0 CreateFileW 43684->43721 43686 40ed09 43685->43686 43700 40c7c0 CreateFileW 43685->43700 43688 40ed45 43686->43688 43701 432c00 43686->43701 43688->43671 43693 432c00 CreateFileW 43693->43688 43695 432c00 CreateFileW 43694->43695 43696 4178bb 43695->43696 43722 436580 43696->43722 43699->43679 43700->43686 43702 432c25 43701->43702 43703 40ed30 43702->43703 43743 43a9e0 CreateFileW 43702->43743 43703->43693 43705 432c45 43744 43b260 CreateFileW 43705->43744 43707 432c56 43745 43afa0 CreateFileW 43707->43745 43709 432c65 43746 43b260 CreateFileW 43709->43746 43711 432c76 43747 43b080 CreateFileW 43711->43747 43713 432c85 43748 43ac20 CreateFileW 43713->43748 43715 432c8a 43749 43aa40 CreateFileW 43715->43749 43717 432c8f 43750 438f40 CreateFileW 43717->43750 43719 432ca5 43720->43684 43721->43684 43725 436320 43722->43725 43726 43633c 43725->43726 43729 46a540 43726->43729 43728 40ec85 43728->43684 43728->43685 43730 46a5c7 43729->43730 43731 46a565 43729->43731 43732 46a520 CreateFileW 43730->43732 43731->43730 43733 46a57a 43731->43733 43734 46a5e1 43732->43734 43737 46a520 43733->43737 43734->43728 43740 46c0e0 43737->43740 43738 46a52d 43738->43728 43741 46c100 CreateFileW 43740->43741 43741->43738 43743->43705 43744->43707 43745->43709 43746->43711 43747->43713 43748->43715 43749->43717 43750->43719 43751 434e60 43752 434e6a 43751->43752 43752->43751 43773 4344a0 43752->43773 43762 434eb6 43803 434400 43762->43803 43766 434eca 43825 434940 43766->43825 43768 434ecf 43832 436400 43768->43832 43777 4344aa 43773->43777 43774 438f40 CreateFileW 43774->43777 43775 434340 CreateFileW 43775->43777 43776 436500 CreateFileW 43776->43777 43777->43773 43777->43774 43777->43775 43777->43776 43778 434770 43777->43778 43779 44df00 43778->43779 43780 44df0a 43779->43780 43780->43779 43781 436320 CreateFileW 43780->43781 43782 44df2a 43781->43782 43783 436400 CreateFileW 43782->43783 43784 44df45 43783->43784 43785 436480 CreateFileW 43784->43785 43786 44df85 43785->43786 43787 436400 CreateFileW 43786->43787 43788 434ea5 43787->43788 43789 44e060 43788->43789 43790 44e06a 43789->43790 43790->43789 43791 436480 CreateFileW 43790->43791 43792 44e097 43791->43792 43793 436480 CreateFileW 43792->43793 43794 44e0ce 43793->43794 43795 436480 CreateFileW 43794->43795 43796 434eaa 43795->43796 43797 434b00 43796->43797 43798 434b0a 43797->43798 43798->43797 43799 436580 CreateFileW 43798->43799 43800 434b3b 43799->43800 43801 434b73 43800->43801 43802 436400 CreateFileW 43800->43802 43838 434a40 CreateFileW 43801->43838 43802->43801 43805 43440a 43803->43805 43804 436480 CreateFileW 43804->43805 43805->43803 43805->43804 43806 43445b 43805->43806 43839 438f40 CreateFileW 43805->43839 43808 434ba0 43806->43808 43814 434baa 43808->43814 43810 434cce 43810->43766 43811 436320 CreateFileW 43811->43814 43814->43808 43814->43810 43814->43811 43815 434d79 43814->43815 43843 436500 43814->43843 43846 434f80 CreateFileW 43814->43846 43847 44a1e0 CreateFileW 43814->43847 43840 436700 43815->43840 43817 434db3 43818 434e10 43817->43818 43848 43a9e0 CreateFileW 43817->43848 43818->43766 43820 434df3 43849 43b260 CreateFileW 43820->43849 43822 434e05 43850 43aa40 CreateFileW 43822->43850 43824 434e0a 43824->43766 43827 43494a 43825->43827 43826 436500 CreateFileW 43830 434991 43826->43830 43827->43825 43827->43826 43828 436400 CreateFileW 43829 4349dd 43828->43829 43829->43768 43830->43828 43831 434a2b 43830->43831 43831->43768 43833 436320 CreateFileW 43832->43833 43834 434f05 43833->43834 43835 436480 43834->43835 43836 436320 CreateFileW 43835->43836 43837 434f45 43836->43837 43838->43762 43839->43805 43841 436320 CreateFileW 43840->43841 43842 436756 43841->43842 43842->43817 43844 436320 CreateFileW 43843->43844 43845 436556 43844->43845 43845->43814 43846->43814 43847->43814 43848->43820 43849->43822 43850->43824 43851 43c720 43870 43c72a 43851->43870 43870->43851 43871 43c929 43870->43871 43875 40ce80 43870->43875 43890 401a40 43870->43890 43896 435000 43870->43896 43911 44adc0 43870->43911 43927 44a540 CreateFileW 43870->43927 43928 454960 CreateFileW 43870->43928 43929 44a040 CreateFileW 43870->43929 43930 405140 CreateFileW 43870->43930 43931 43cae0 CreateFileW 43870->43931 43932 454740 CreateFileW 43870->43932 43933 461040 CreateFileW 43870->43933 43934 40b3e0 CreateFileW 43870->43934 43935 452ae0 CreateFileW 43870->43935 43936 41a9e0 CreateFileW 43870->43936 43937 44ff80 43870->43937 43946 40c560 CreateFileW 43870->43946 43947 408620 CreateFileW 43870->43947 43948 446720 CreateFileW 43870->43948 43950 438f40 CreateFileW 43870->43950 43949 40c7c0 CreateFileW 43871->43949 43874 43c937 43886 40ce8a 43875->43886 43876 43a9e0 CreateFileW 43876->43886 43877 43afa0 CreateFileW 43877->43886 43878 40cf4b 43951 428d20 43878->43951 43879 438f40 CreateFileW 43879->43886 43880 43b080 CreateFileW 43880->43886 43884 43b260 CreateFileW 43884->43886 43885 43aa40 CreateFileW 43885->43886 43886->43875 43886->43876 43886->43877 43886->43878 43886->43879 43886->43880 43886->43884 43886->43885 43887 40cfe2 43887->43870 43888 40cf5c 43888->43887 43970 41a8a0 43888->43970 43891 401a46 43890->43891 43891->43890 44393 401fe0 43891->44393 43893 401a5d 44403 401aa0 CreateFileW 43893->44403 43895 401a6c 43895->43870 43897 43500a 43896->43897 43897->43896 43898 436320 CreateFileW 43897->43898 43900 43515c 43897->43900 43909 43520b 43897->43909 44419 44f080 CreateFileW 43897->44419 44420 453be0 CreateFileW 43897->44420 43898->43897 43901 436400 CreateFileW 43900->43901 43902 435171 43901->43902 44421 466ae0 CreateFileW 43902->44421 43905 4351af 43906 436480 CreateFileW 43905->43906 43907 4351cd 43906->43907 44407 434800 43907->44407 43909->43870 43910 4351e5 43910->43870 43912 44adca 43911->43912 43912->43911 44424 408620 CreateFileW 43912->44424 43914 44ae0b 43915 40e7c0 CreateFileW 43914->43915 43916 44ae25 43915->43916 44425 464980 CreateFileW 43916->44425 43918 44ae65 44426 44b0c0 CreateFileW 43918->44426 43920 44aebe 44427 44b0c0 CreateFileW 43920->44427 43922 44aecf 44428 408620 CreateFileW 43922->44428 43924 44aefb 44429 4662e0 CreateFileW 43924->44429 43926 44af05 43926->43870 43927->43870 43928->43870 43929->43870 43930->43870 43931->43870 43932->43870 43933->43870 43934->43870 43935->43870 43936->43870 43939 44ff8a 43937->43939 43938 4178a0 CreateFileW 43938->43939 43939->43937 43939->43938 43940 450011 43939->43940 43941 438f40 CreateFileW 43939->43941 43942 40c560 CreateFileW 43939->43942 43944 40c7c0 CreateFileW 43939->43944 44430 429780 43939->44430 44436 42ab00 CreateFileW 43939->44436 43940->43870 43941->43939 43942->43939 43944->43939 43946->43870 43947->43870 43948->43870 43949->43874 43950->43870 43953 428d2a 43951->43953 43953->43951 43997 41a780 CreateFileW 43953->43997 43954 428d5e 43998 41a780 CreateFileW 43954->43998 43956 428d85 43999 41a780 CreateFileW 43956->43999 43958 428da9 44000 41a780 CreateFileW 43958->44000 43960 428dcd 44001 41a780 CreateFileW 43960->44001 43962 428df1 44002 41a780 CreateFileW 43962->44002 43964 428e15 44003 41a780 CreateFileW 43964->44003 43966 428e39 43982 42bb00 43966->43982 43969 416680 CreateFileW 43969->43888 43971 41a8aa 43970->43971 43971->43970 43972 41a8be 43971->43972 44387 43a9e0 CreateFileW 43971->44387 44388 43b260 CreateFileW 43971->44388 44389 43aa40 CreateFileW 43971->44389 44390 438f40 CreateFileW 43971->44390 43974 41a8c7 43972->43974 43975 41a917 43972->43975 43976 40ea80 CreateFileW 43972->43976 43974->43888 43977 41a947 43975->43977 44381 428ac0 43975->44381 43976->43975 43977->43888 43994 42bb0a 43982->43994 43983 42bb2a 44004 431de0 43983->44004 43985 42bb76 44008 42dfe0 43985->44008 43986 43b260 CreateFileW 43986->43994 43988 43b080 CreateFileW 43988->43994 43989 42bb85 44013 424d20 43989->44013 43991 43aa40 CreateFileW 43991->43994 43993 43a9e0 CreateFileW 43993->43994 43994->43982 43994->43983 43994->43986 43994->43988 43994->43991 43994->43993 43995 43ac20 CreateFileW 43994->43995 44017 438f40 CreateFileW 43994->44017 43995->43994 43997->43954 43998->43956 43999->43958 44000->43960 44001->43962 44002->43964 44003->43966 44005 431de6 44004->44005 44005->44004 44018 40ea80 44005->44018 44007 431e1a 44007->43985 44009 42dfea 44008->44009 44009->44008 44010 42e0e5 44009->44010 44369 417ea0 44009->44369 44376 438f40 CreateFileW 44009->44376 44010->43989 44014 424d2a 44013->44014 44014->44013 44377 42e9c0 44014->44377 44016 40cf57 44016->43969 44017->43994 44019 40ea86 44018->44019 44019->44018 44022 468940 44019->44022 44021 40eadc 44021->44007 44023 468961 44022->44023 44024 4689bf 44022->44024 44023->44024 44030 41a6e0 44023->44030 44035 462a40 44023->44035 44039 445220 44023->44039 44047 429700 44023->44047 44024->44021 44025 468989 44025->44021 44031 41a6e6 44030->44031 44031->44030 44033 41a713 44031->44033 44053 42b160 44031->44053 44075 438f40 CreateFileW 44031->44075 44033->44025 44037 462a46 44035->44037 44037->44035 44084 43fcc0 44037->44084 44038 462a65 44038->44025 44041 445226 44039->44041 44041->44039 44192 445280 CreateFileW 44041->44192 44042 44523f 44193 449380 CreateFileW 44042->44193 44044 44525a 44045 445268 44044->44045 44178 4408a0 44044->44178 44045->44025 44048 429706 44047->44048 44048->44047 44049 429746 44048->44049 44262 428ea0 CreateFileW 44048->44262 44228 429b20 44049->44228 44052 42975c 44052->44025 44054 42b16a 44053->44054 44054->44053 44076 40c560 CreateFileW 44054->44076 44056 42b199 44057 41a8a0 CreateFileW 44056->44057 44058 42b1a5 44057->44058 44077 40c7c0 CreateFileW 44058->44077 44060 42b1b8 44078 42ad80 CreateFileW 44060->44078 44062 42b236 44063 42b2f0 44062->44063 44064 42b23e 44062->44064 44082 40c560 CreateFileW 44063->44082 44066 42b2b5 44064->44066 44079 414c80 CreateFileW 44064->44079 44066->44031 44067 42b2fe 44083 40c7c0 CreateFileW 44067->44083 44070 42b25a 44072 42b291 44070->44072 44080 420e80 CreateFileW 44070->44080 44071 42b338 44071->44031 44081 420d00 CreateFileW 44072->44081 44075->44031 44076->44056 44077->44060 44078->44062 44079->44070 44080->44072 44081->44066 44082->44067 44083->44071 44088 43fcca 44084->44088 44086 43fdc7 44120 43fe40 44086->44120 44088->44084 44088->44086 44092 43fd52 44088->44092 44097 43f1e0 44088->44097 44137 40c560 CreateFileW 44088->44137 44140 438f40 CreateFileW 44088->44140 44089 43fdcc 44089->44038 44093 43fd89 44092->44093 44138 40c8c0 CreateFileW 44092->44138 44139 40c7c0 CreateFileW 44093->44139 44096 43fd97 44096->44038 44099 43f1ea 44097->44099 44099->44097 44145 44b560 CreateFileW 44099->44145 44100 43f20d 44101 43f23a 44100->44101 44146 4470c0 CreateFileW 44100->44146 44103 43f265 44101->44103 44147 40c560 CreateFileW 44101->44147 44141 40e7c0 44103->44141 44106 43f452 44158 40c7c0 CreateFileW 44106->44158 44107 43f271 44148 43cae0 CreateFileW 44107->44148 44109 43f252 44109->44106 44114 468940 CreateFileW 44109->44114 44157 45bcc0 CreateFileW 44109->44157 44111 43f2a5 44149 445080 CreateFileW 44111->44149 44114->44109 44115 43f2af 44116 43f315 44115->44116 44150 447320 44115->44150 44156 44b680 CreateFileW 44116->44156 44119 43f356 44119->44088 44121 43fe4a 44120->44121 44121->44120 44122 43fee3 44121->44122 44123 43fe7c 44121->44123 44177 438f40 CreateFileW 44121->44177 44175 44b560 CreateFileW 44122->44175 44173 44b560 CreateFileW 44123->44173 44127 43fef4 44159 435c00 44127->44159 44128 43fea5 44130 46a540 CreateFileW 44128->44130 44133 43febf 44130->44133 44174 44b680 CreateFileW 44133->44174 44134 43ff0a 44134->44089 44136 43fedd 44136->44089 44137->44088 44138->44093 44139->44096 44140->44088 44143 40e7c6 44141->44143 44142 40dda0 CreateFileW 44144 40e7e5 44142->44144 44143->44141 44143->44142 44144->44107 44145->44100 44146->44101 44147->44109 44148->44111 44149->44115 44151 44732a 44150->44151 44151->44150 44152 447365 44151->44152 44153 45a7e0 CreateFileW 44151->44153 44154 4473c0 CreateFileW 44152->44154 44153->44152 44155 4473a5 44154->44155 44155->44116 44156->44119 44157->44109 44158->44103 44160 436680 CreateFileW 44159->44160 44161 435c35 44160->44161 44162 435c51 44161->44162 44170 435c7e 44161->44170 44163 436400 CreateFileW 44162->44163 44164 435c66 44163->44164 44176 44b680 CreateFileW 44164->44176 44165 43a9e0 CreateFileW 44165->44170 44166 40c560 CreateFileW 44166->44170 44167 43b260 CreateFileW 44167->44170 44168 43b080 CreateFileW 44168->44170 44169 43afa0 CreateFileW 44169->44170 44170->44165 44170->44166 44170->44167 44170->44168 44170->44169 44171 43aa40 CreateFileW 44170->44171 44172 438f40 CreateFileW 44170->44172 44171->44170 44172->44170 44173->44128 44174->44136 44175->44127 44176->44134 44177->44121 44183 4408aa 44178->44183 44179 4408d5 44179->44045 44182 440968 44218 40c7c0 CreateFileW 44182->44218 44183->44178 44183->44179 44183->44182 44184 440928 44183->44184 44215 40c560 CreateFileW 44183->44215 44216 449320 CreateFileW 44183->44216 44219 438f40 CreateFileW 44183->44219 44217 40c7c0 CreateFileW 44184->44217 44188 44097b 44194 440260 44188->44194 44190 440936 44190->44045 44191 44098c 44191->44045 44192->44042 44193->44044 44208 44026a 44194->44208 44196 44036c 44223 43ca80 CreateFileW 44196->44223 44200 440371 44224 40c7c0 CreateFileW 44200->44224 44201 440404 44202 44041b 44201->44202 44226 40c7c0 CreateFileW 44201->44226 44202->44191 44203 438f40 CreateFileW 44203->44208 44205 440365 44227 40c8c0 CreateFileW 44205->44227 44207 440391 44209 43fcc0 CreateFileW 44207->44209 44208->44194 44208->44196 44208->44201 44208->44203 44208->44205 44208->44208 44220 40c560 CreateFileW 44208->44220 44221 449180 CreateFileW 44208->44221 44222 40c7c0 CreateFileW 44208->44222 44211 4403b8 44209->44211 44212 4403d2 44211->44212 44225 40c560 CreateFileW 44211->44225 44212->44191 44213 440469 44213->44191 44215->44183 44216->44183 44217->44190 44218->44188 44219->44183 44220->44208 44221->44208 44222->44208 44223->44200 44224->44207 44225->44212 44226->44202 44227->44213 44229 429b2f 44228->44229 44229->44228 44230 40c560 CreateFileW 44229->44230 44232 42d800 CreateFileW 44229->44232 44234 429c7d 44229->44234 44239 429cd4 44229->44239 44247 429c30 44229->44247 44263 42a3c0 44229->44263 44323 42eea0 CreateFileW 44229->44323 44324 40c7c0 CreateFileW 44229->44324 44331 438f40 CreateFileW 44229->44331 44230->44229 44232->44229 44233 429d3e 44326 40c7c0 CreateFileW 44233->44326 44234->44233 44299 429a20 44234->44299 44325 40c7c0 CreateFileW 44239->44325 44241 429ce5 44241->44052 44243 429f16 44307 42a0e0 44243->44307 44245 429f65 44246 429fb8 44245->44246 44313 417b60 44245->44313 44248 432c00 CreateFileW 44246->44248 44247->44243 44327 4240a0 CreateFileW 44247->44327 44251 429fd4 44248->44251 44254 429ff5 44251->44254 44255 432c00 CreateFileW 44251->44255 44253 432c00 CreateFileW 44253->44246 44329 432cc0 CreateFileW 44254->44329 44255->44254 44257 429ec7 44257->44243 44328 41e200 CreateFileW 44257->44328 44259 42a005 44330 432da0 CreateFileW 44259->44330 44261 42a074 44261->44052 44262->44049 44264 42a3ca 44263->44264 44264->44263 44294 42a456 44264->44294 44332 40d200 44264->44332 44267 432c00 CreateFileW 44271 42a609 44267->44271 44268 42a43f 44276 432c00 CreateFileW 44268->44276 44268->44294 44269 42a53c 44359 43a9e0 CreateFileW 44269->44359 44366 432cc0 CreateFileW 44271->44366 44272 42a565 44360 43b260 CreateFileW 44272->44360 44275 42a615 44367 432da0 CreateFileW 44275->44367 44279 42a4a6 44276->44279 44277 42a576 44361 43afa0 CreateFileW 44277->44361 44357 432cc0 CreateFileW 44279->44357 44281 42a62c 44348 42bcc0 44281->44348 44283 42a585 44362 43b260 CreateFileW 44283->44362 44285 42a4b2 44358 432da0 CreateFileW 44285->44358 44287 42a645 44287->44229 44289 42a596 44363 43afa0 CreateFileW 44289->44363 44290 42a4c9 44292 42bcc0 CreateFileW 44290->44292 44292->44294 44293 42a5a8 44364 43b260 CreateFileW 44293->44364 44294->44267 44296 42a5b9 44365 43aa40 CreateFileW 44296->44365 44298 42a5be 44298->44229 44300 429a2a 44299->44300 44300->44299 44301 429a45 44300->44301 44302 429a5d 44300->44302 44305 429a89 44301->44305 44306 41a8a0 CreateFileW 44301->44306 44303 41a8a0 CreateFileW 44302->44303 44304 429a68 44303->44304 44304->44233 44305->44233 44306->44301 44310 42a0ea 44307->44310 44309 42b680 CreateFileW 44309->44310 44310->44307 44310->44309 44311 437880 CreateFileW 44310->44311 44312 42a2eb 44310->44312 44368 4298c0 CreateFileW 44310->44368 44311->44310 44312->44245 44314 417b6a 44313->44314 44314->44313 44315 417bd3 44314->44315 44316 436580 CreateFileW 44314->44316 44317 43a9e0 CreateFileW 44314->44317 44318 43b260 CreateFileW 44314->44318 44319 43afa0 CreateFileW 44314->44319 44320 43ac20 CreateFileW 44314->44320 44321 43aa40 CreateFileW 44314->44321 44322 438f40 CreateFileW 44314->44322 44315->44253 44316->44314 44317->44314 44318->44314 44319->44314 44320->44314 44321->44314 44322->44314 44323->44229 44324->44229 44325->44241 44326->44247 44327->44257 44328->44243 44329->44259 44330->44261 44331->44229 44343 40d20f 44332->44343 44333 40d9c0 CreateFileW 44333->44343 44334 417ea0 CreateFileW 44334->44343 44335 417dc0 CreateFileW 44335->44343 44336 40d559 44336->44268 44336->44269 44337 43a9e0 CreateFileW 44337->44343 44338 41a8a0 CreateFileW 44338->44343 44339 436580 CreateFileW 44339->44343 44340 438f40 CreateFileW 44340->44343 44341 40ee40 CreateFileW 44341->44343 44342 43b260 CreateFileW 44342->44343 44343->44332 44343->44333 44343->44334 44343->44335 44343->44336 44343->44337 44343->44338 44343->44339 44343->44340 44343->44341 44343->44342 44344 43b0e0 CreateFileW 44343->44344 44345 40ea80 CreateFileW 44343->44345 44346 43ac20 CreateFileW 44343->44346 44347 43aa40 CreateFileW 44343->44347 44344->44343 44345->44343 44346->44343 44347->44343 44349 42bcca 44348->44349 44349->44348 44350 42e120 CreateFileW 44349->44350 44351 424e00 CreateFileW 44349->44351 44352 431c80 CreateFileW 44349->44352 44353 432060 CreateFileW 44349->44353 44354 42beec 44349->44354 44355 4178a0 CreateFileW 44349->44355 44356 438f40 CreateFileW 44349->44356 44350->44349 44351->44349 44352->44349 44353->44349 44354->44287 44355->44349 44356->44349 44357->44285 44358->44290 44359->44272 44360->44277 44361->44283 44362->44289 44363->44293 44364->44296 44365->44298 44366->44275 44367->44281 44368->44310 44370 417eaa 44369->44370 44370->44369 44371 436580 CreateFileW 44370->44371 44373 417ee5 44371->44373 44372 417f05 44372->44009 44373->44372 44374 436580 CreateFileW 44373->44374 44375 417f45 44374->44375 44375->44009 44376->44009 44378 42e9c6 44377->44378 44378->44377 44379 417ea0 CreateFileW 44378->44379 44380 42e9e5 44379->44380 44380->44016 44386 428aca 44381->44386 44382 4178a0 CreateFileW 44382->44386 44383 428c1c 44383->43977 44386->44381 44386->44382 44386->44383 44391 417940 CreateFileW 44386->44391 44392 438f40 CreateFileW 44386->44392 44387->43971 44388->43971 44389->43971 44390->43971 44391->44386 44392->44386 44394 401fea 44393->44394 44394->44393 44395 40e7c0 CreateFileW 44394->44395 44396 401ffe 44395->44396 44399 40215b 44396->44399 44404 44f160 CreateFileW 44396->44404 44400 40236d 44399->44400 44405 44f160 CreateFileW 44399->44405 44402 40257a 44400->44402 44406 44f160 CreateFileW 44400->44406 44402->43893 44403->43895 44404->44399 44405->44400 44406->44402 44408 43480a 44407->44408 44408->44407 44409 436500 CreateFileW 44408->44409 44410 434845 44409->44410 44411 43491a 44410->44411 44422 434340 CreateFileW 44410->44422 44411->43910 44413 43487d 44414 434914 44413->44414 44423 466ae0 CreateFileW 44413->44423 44414->43910 44416 4348ba 44417 436500 CreateFileW 44416->44417 44418 4348fc 44417->44418 44418->43910 44419->43897 44420->43897 44421->43905 44422->44413 44423->44416 44424->43914 44425->43918 44426->43920 44427->43922 44428->43924 44429->43926 44432 429786 44430->44432 44431 429792 44434 429b20 CreateFileW 44431->44434 44432->44430 44432->44431 44437 438f40 CreateFileW 44432->44437 44435 429799 44434->44435 44435->43939 44436->43939 44437->44432 44438 43e8e0 44439 43e8f3 44438->44439 44444 43e960 44439->44444 44443 43e954 44445 43e96a 44444->44445 44445->44444 44446 43e989 44445->44446 44508 438f40 CreateFileW 44445->44508 44459 435da0 44446->44459 44449 43e9c5 44450 43e9dc 44449->44450 44506 43ea60 CreateFileW 44449->44506 44452 43e9fd 44450->44452 44475 4479a0 44450->44475 44453 43ea1e 44452->44453 44507 4470c0 CreateFileW 44452->44507 44492 442d40 44453->44492 44458 43eaa0 CreateFileW 44458->44443 44474 435daf 44459->44474 44460 436700 CreateFileW 44460->44474 44462 436320 CreateFileW 44462->44474 44463 43b260 CreateFileW 44463->44474 44465 43afa0 CreateFileW 44465->44474 44466 436580 CreateFileW 44466->44474 44467 436500 CreateFileW 44467->44474 44468 43a9e0 CreateFileW 44468->44474 44469 435f8c 44469->44449 44470 43ac20 CreateFileW 44470->44474 44471 43b0e0 CreateFileW 44471->44474 44472 438f40 CreateFileW 44472->44474 44473 43aa40 CreateFileW 44473->44474 44474->44459 44474->44460 44474->44462 44474->44463 44474->44465 44474->44466 44474->44467 44474->44468 44474->44469 44474->44470 44474->44471 44474->44472 44474->44473 44509 40c560 CreateFileW 44474->44509 44510 40c7c0 CreateFileW 44474->44510 44489 4479aa 44475->44489 44476 40c560 CreateFileW 44476->44489 44478 468940 CreateFileW 44478->44489 44480 46a540 CreateFileW 44480->44489 44485 434a40 CreateFileW 44485->44489 44487 447500 CreateFileW 44487->44489 44488 442a00 CreateFileW 44488->44489 44489->44475 44489->44476 44489->44478 44489->44480 44489->44485 44489->44487 44489->44488 44490 40c7c0 CreateFileW 44489->44490 44511 447f40 44489->44511 44524 447560 CreateFileW 44489->44524 44525 458ea0 CreateFileW 44489->44525 44526 40cd00 CreateFileW 44489->44526 44527 433ee0 CreateFileW 44489->44527 44528 423ae0 CreateFileW 44489->44528 44529 41acc0 CreateFileW 44489->44529 44530 448340 CreateFileW 44489->44530 44490->44489 44504 442d4a 44492->44504 44494 438f40 CreateFileW 44494->44504 44498 40c560 CreateFileW 44498->44504 44499 442f77 44501 440e00 CreateFileW 44499->44501 44500 4408a0 CreateFileW 44500->44504 44503 43e94a 44501->44503 44503->44458 44504->44492 44504->44494 44504->44498 44504->44499 44504->44500 44505 40c7c0 CreateFileW 44504->44505 44646 4409e0 44504->44646 44662 442980 44504->44662 44668 440e00 44504->44668 44678 440c60 CreateFileW 44504->44678 44679 440fc0 CreateFileW 44504->44679 44505->44504 44506->44450 44507->44453 44508->44445 44509->44474 44510->44474 44512 447f4a 44511->44512 44512->44511 44535 40c560 CreateFileW 44512->44535 44514 448047 44536 40c7c0 CreateFileW 44514->44536 44516 448055 44516->44489 44518 447f65 44518->44514 44522 447500 CreateFileW 44518->44522 44531 4482a0 44518->44531 44537 40c7c0 CreateFileW 44518->44537 44538 45b880 CreateFileW 44518->44538 44539 440540 44518->44539 44585 40c560 CreateFileW 44518->44585 44522->44518 44524->44489 44525->44489 44526->44489 44527->44489 44528->44489 44529->44489 44530->44489 44532 4482a6 44531->44532 44532->44531 44533 4482f5 44532->44533 44586 436a20 44532->44586 44533->44518 44535->44518 44536->44516 44537->44518 44538->44518 44542 44054a 44539->44542 44540 44086d 44541 440260 CreateFileW 44540->44541 44543 440876 44541->44543 44542->44539 44542->44540 44548 440596 44542->44548 44543->44518 44544 440682 44545 4406d6 44544->44545 44549 4406b5 44544->44549 44637 40c560 CreateFileW 44545->44637 44546 440614 44546->44544 44554 440673 44546->44554 44548->44546 44555 440605 44548->44555 44551 440260 CreateFileW 44549->44551 44550 4406e5 44553 4406ef 44550->44553 44569 44072f 44550->44569 44552 4406d0 44551->44552 44552->44518 44556 44071b 44553->44556 44638 40c8c0 CreateFileW 44553->44638 44557 440260 CreateFileW 44554->44557 44558 440260 CreateFileW 44555->44558 44639 40c7c0 CreateFileW 44556->44639 44561 44067c 44557->44561 44562 44060e 44558->44562 44561->44518 44562->44518 44563 440729 44563->44518 44564 440791 44565 4407a6 44564->44565 44566 44084b 44564->44566 44567 4407eb 44565->44567 44570 4407c5 44565->44570 44645 40c7c0 CreateFileW 44566->44645 44642 448fe0 CreateFileW 44567->44642 44569->44564 44640 40c8c0 CreateFileW 44569->44640 44641 40c7c0 CreateFileW 44570->44641 44571 440859 44575 440260 CreateFileW 44571->44575 44578 440867 44575->44578 44576 440825 44643 40c7c0 CreateFileW 44576->44643 44577 4407d3 44580 440260 CreateFileW 44577->44580 44578->44518 44582 4407e5 44580->44582 44581 440833 44583 440845 44581->44583 44644 442920 CreateFileW 44581->44644 44582->44518 44583->44518 44585->44518 44612 436a32 44586->44612 44587 438f40 CreateFileW 44587->44612 44588 436e45 44588->44533 44590 436a97 44626 40c7c0 CreateFileW 44590->44626 44592 436700 CreateFileW 44592->44612 44593 436aa6 44593->44533 44594 436b46 44627 40c7c0 CreateFileW 44594->44627 44596 436b55 44628 40c560 CreateFileW 44596->44628 44599 436b90 44600 436400 CreateFileW 44599->44600 44602 436bad 44600->44602 44603 436de1 44602->44603 44604 436bcd 44602->44604 44631 40c7c0 CreateFileW 44603->44631 44606 436480 CreateFileW 44604->44606 44608 436bf7 44606->44608 44629 40c7c0 CreateFileW 44608->44629 44610 436def 44613 436400 CreateFileW 44610->44613 44612->44586 44612->44587 44612->44588 44612->44590 44612->44592 44612->44594 44625 40c560 CreateFileW 44612->44625 44632 43a9e0 CreateFileW 44612->44632 44633 43b260 CreateFileW 44612->44633 44634 43afa0 CreateFileW 44612->44634 44635 43ac20 CreateFileW 44612->44635 44636 43aa40 CreateFileW 44612->44636 44614 436e0c 44613->44614 44614->44533 44616 436c17 44617 436d45 44616->44617 44630 43a520 CreateFileW 44616->44630 44619 436400 CreateFileW 44617->44619 44621 436d92 44619->44621 44620 436ced 44620->44617 44623 436480 CreateFileW 44620->44623 44622 436400 CreateFileW 44621->44622 44624 436dc5 44622->44624 44623->44617 44624->44533 44625->44612 44626->44593 44627->44596 44628->44599 44629->44616 44630->44620 44631->44610 44632->44612 44633->44612 44634->44612 44635->44612 44636->44612 44637->44550 44638->44556 44639->44563 44640->44564 44641->44577 44642->44576 44643->44581 44644->44583 44645->44571 44659 4409ea 44646->44659 44647 447320 CreateFileW 44647->44659 44649 440540 CreateFileW 44649->44659 44651 440a8a 44682 4470c0 CreateFileW 44651->44682 44653 440a9a 44653->44504 44654 43a9e0 CreateFileW 44654->44659 44655 43b260 CreateFileW 44655->44659 44656 43b1e0 CreateFileW 44656->44659 44657 43afa0 CreateFileW 44657->44659 44658 43aa40 CreateFileW 44658->44659 44659->44646 44659->44647 44659->44649 44659->44651 44659->44654 44659->44655 44659->44656 44659->44657 44659->44658 44660 43ac20 CreateFileW 44659->44660 44661 438f40 CreateFileW 44659->44661 44680 447500 CreateFileW 44659->44680 44681 40c940 CreateFileW 44659->44681 44660->44659 44661->44659 44663 442986 44662->44663 44663->44662 44664 4429b9 44663->44664 44665 438f40 CreateFileW 44663->44665 44666 4408a0 CreateFileW 44664->44666 44665->44663 44667 4429be 44666->44667 44667->44504 44669 440e0a 44668->44669 44669->44668 44671 440e39 44669->44671 44683 431120 CreateFileW 44669->44683 44684 43d8c0 CreateFileW 44671->44684 44673 440e9b 44674 440ef3 44673->44674 44685 436940 CreateFileW 44673->44685 44676 440f25 44674->44676 44686 45b040 CreateFileW 44674->44686 44676->44504 44678->44504 44679->44504 44680->44659 44681->44659 44682->44653 44683->44671 44684->44673 44685->44674 44686->44676 44687 447e60 44688 447e6a 44687->44688 44688->44687 44691 447ec7 44688->44691 44693 436680 44688->44693 44690 436480 CreateFileW 44692 447f1a 44690->44692 44691->44690 44694 436320 CreateFileW 44693->44694 44695 4366d6 44694->44695 44695->44691 44696 4510a0 44731 4510b2 44696->44731 44697 43a9e0 CreateFileW 44697->44731 44699 451426 44701 45143b 44699->44701 44758 451d60 CreateFileW 44699->44758 44700 451471 44709 4514af 44700->44709 44761 455fe0 CreateFileW 44700->44761 44702 45145e 44701->44702 44759 443800 CreateFileW 44701->44759 44760 443400 CreateFileW 44702->44760 44703 438f40 CreateFileW 44703->44731 44705 451582 44732 4515ca 44705->44732 44764 43a9e0 CreateFileW 44705->44764 44709->44705 44710 45150d 44709->44710 44762 43d8c0 CreateFileW 44710->44762 44711 43a9e0 CreateFileW 44711->44732 44714 451529 44741 450c60 44714->44741 44715 451594 44765 43b260 CreateFileW 44715->44765 44720 43b260 CreateFileW 44720->44731 44721 4515a5 44766 43afa0 CreateFileW 44721->44766 44725 451552 44726 4515b1 44767 43b260 CreateFileW 44726->44767 44728 4515c5 44768 43aa40 CreateFileW 44728->44768 44730 43aa40 CreateFileW 44730->44732 44731->44696 44731->44697 44731->44699 44731->44700 44731->44703 44731->44720 44733 43ac20 CreateFileW 44731->44733 44735 45e240 CreateFileW 44731->44735 44738 43b0e0 CreateFileW 44731->44738 44739 43aa40 CreateFileW 44731->44739 44740 43b1e0 CreateFileW 44731->44740 44771 43afa0 CreateFileW 44731->44771 44772 4551a0 CreateFileW 44731->44772 44732->44711 44732->44730 44734 43b0e0 CreateFileW 44732->44734 44736 43b260 CreateFileW 44732->44736 44769 438f40 CreateFileW 44732->44769 44770 43afa0 CreateFileW 44732->44770 44733->44731 44734->44732 44735->44731 44736->44732 44738->44731 44739->44731 44740->44731 44742 450c6f 44741->44742 44742->44741 44743 450c92 44742->44743 44744 438f40 CreateFileW 44742->44744 44745 44ff80 CreateFileW 44743->44745 44744->44742 44746 450d45 44745->44746 44748 450dba 44746->44748 44750 450ded 44746->44750 44777 438f40 CreateFileW 44746->44777 44778 450b00 CreateFileW 44748->44778 44773 45c800 CreateFileW 44750->44773 44754 450f36 44756 450f5c 44754->44756 44774 450760 CreateFileW 44754->44774 44775 45ce40 CreateFileW 44754->44775 44755 450f91 44763 43d8c0 CreateFileW 44755->44763 44776 450260 CreateFileW 44756->44776 44758->44701 44759->44702 44760->44700 44761->44709 44762->44714 44763->44725 44764->44715 44765->44721 44766->44726 44767->44728 44768->44732 44769->44732 44770->44732 44771->44731 44772->44731 44773->44754 44774->44754 44775->44754 44776->44755 44777->44748 44778->44750 44779 4688c0 44780 4688f4 44779->44780 44781 4688ef 44779->44781 44788 4431e0 44780->44788 44802 43c340 CreateFileW 44781->44802 44789 4431ea 44788->44789 44789->44788 44804 43d8c0 CreateFileW 44789->44804 44791 443238 44796 443265 44791->44796 44805 45b340 CreateFileW 44791->44805 44793 4433c7 44794 442d40 CreateFileW 44793->44794 44795 4433cc 44794->44795 44803 43c380 CreateFileW 44795->44803 44796->44793 44806 43d8c0 CreateFileW 44796->44806 44798 44335d 44801 44337b 44798->44801 44807 45b480 CreateFileW 44798->44807 44799 440e00 CreateFileW 44799->44793 44801->44799 44804->44791 44805->44796 44806->44798 44807->44801 44808 4686a0 44809 4686c0 44808->44809 44812 46f540 44809->44812 44811 468809 44815 4451a0 44812->44815 44816 4451a6 44815->44816 44816->44815 44817 468940 CreateFileW 44816->44817 44818 4451eb 44817->44818 44818->44811

                    Executed Functions

                    Function 00434800 Relevance: 3.8, Strings: 3, Instructions: 65COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID: .F$PowerRegisterSuspendResumeNotification$powrprof.dll
                    • API String ID: 0-3322427260
                    • Opcode ID: 44d24f89154824cc11c56763e591cdb9fb0a85941e7be42b470fd5cd78009dba
                    • Instruction ID: 965232fd85bd776f109a5cefa4b990e4cbb4f87958703785c264029de7cc8692
                    • Opcode Fuzzy Hash: 44d24f89154824cc11c56763e591cdb9fb0a85941e7be42b470fd5cd78009dba
                    • Instruction Fuzzy Hash: B3213536208F84C2DA01CF11F48535BB7A5F78AB84F589116EA8C47B68DF7DD195CB00
                    Function 00434940 Relevance: .1, Instructions: 61COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: cdd6910b81359d82a000ccbee3a73faa141a11c2b4a33abe83676cd268d41d19
                    • Instruction ID: 4d277e9a38b308075dea3b40fae763119b304e4283cc0bce953b090b49828a38
                    • Opcode Fuzzy Hash: cdd6910b81359d82a000ccbee3a73faa141a11c2b4a33abe83676cd268d41d19
                    • Instruction Fuzzy Hash: FD215E33608B8582DA10CB21F44236BB764F399BD8F549226EE9D47B99DB3DD191CB04
                    Function 0044E060 Relevance: .0, Instructions: 41COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c03ad09ada82addc91113b371987d2570bc1e40ba6c4f6888c7805d04d17258c
                    • Instruction ID: 5f9b1e9abb5f0cd8c515e1f7192ac85a30b71cc5980b9a152863c510826f3cfe
                    • Opcode Fuzzy Hash: c03ad09ada82addc91113b371987d2570bc1e40ba6c4f6888c7805d04d17258c
                    • Instruction Fuzzy Hash: 8A110636604F89D0E600DB22F48632A7764F35AB84F458226DEAC83761DF3EC192C704
                    Function 0046C0E0 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
                    • Instruction ID: 689282ddd1dccc8a133a55a2cc78a95394f348243343486b182c0238c4023206
                    • Opcode Fuzzy Hash: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
                    • Instruction Fuzzy Hash: 39115276601F80C1DB11CB1EE4813697374E349BE4F244216DFAD57795DB29E193CB44

                    Non-executed Functions

                    Function 00421420 Relevance: 7.7, Strings: 6, Instructions: 177COMMON
                    Download Yara Rule
                    Strings
                    • ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm, xrefs: 00421645
                    • base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134, xrefs: 0042165B
                    • marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 0042169E
                    • greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has, xrefs: 004216AF
                    • runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo, xrefs: 004215E7
                    • objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfuncc, xrefs: 00421676
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID: ) @s Pn=][}]> +25])idLlLtLuMn"tcpEOF???nilcgodnsudpftpssh::1set\\?NUL:\/\\.\??MayUTCEET+00+01CATWATEATGMTHSTHDT-03-04-05ESTCSTCDTMSTMDT-02EDTASTADTPSTPDTNSTNDT+06+03+04+07IST+09+08IDT+12PKT+11KST+05JST+10-01-11-12-08-09+13CETBSTMSK-06+14 m=StdDltintm$base of <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125quitbitsNameTypeermssse3avx2bmi1bmi2false<nil>Errorfileshttpsimap2imap3imapspop3shostswriteclosechdirLstatMarchApril+0530+0430+0545+0630+0330+0845+1030+1245+134$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlinefindrunnable: netpoll with spinningpidleput: P has$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $objgc %: gp *(in n= ) - NaN P MPC= < end > ]:pc= G125625): TTLadxaesshaavxfmanet9889trueicmpigmpftpshttppop3smtp) = dialbindfile read on pipeunixopenStat.com.exe.bat.cmdpathJuneJulyEESTSASTAKSTAKDTACSTACDTAESTAEDTAWSTCESTNZSTNZDTboolint8uintchanfuncc$runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)LockOSThread nesting overflo
                    • API String ID: 0-2832768888
                    • Opcode ID: 169de8a3bab8cce5d1ba203b8d2577037a4726d31b8877cf2e6c9ff4dc77fe63
                    • Instruction ID: e0e71f5e75f83ecd7fb880455a270d1ff5eef260204314e596b1d4974127170c
                    • Opcode Fuzzy Hash: 169de8a3bab8cce5d1ba203b8d2577037a4726d31b8877cf2e6c9ff4dc77fe63
                    • Instruction Fuzzy Hash: 1161CE72704B8492DB109B12E44136EA765F79ABC4F84516BEF8E07B66CB3CC1A4C744
                    Function 0040C2E0 Relevance: 6.3, Strings: 5, Instructions: 80COMMON
                    Download Yara Rule
                    Strings
                    • runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p, xrefs: 0040C365
                    • packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1Micr, xrefs: 0040C3A5
                    • -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac, xrefs: 0040C3C5
                    • cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-, xrefs: 0040C385
                    • lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces, xrefs: 0040C3EF
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID: -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac$ cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125 (at ntohsClassGreeksse41sse42ssse3StringFormat[]bytestringnetdnsdomaingophertelnet.localreturnlisten.onionsocketexec: SundayMondayFridayAugustUTC-11UTC-02UTC-08UTC-$ packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes 48828125no anodeCancelIoReadFileAcceptExWSAIoctlClassANYQuestionavx512bwavx512vlgo/typesnet/httpgo/buildx509sha1Micr$lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces$runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p
                    • API String ID: 0-1621370682
                    • Opcode ID: c12e68af4669c7ebffe4d4da2f85d7cbb8219f4e62b23d3ca95c3471088a8ffe
                    • Instruction ID: 5a96ecf5df70063a97e93e536bc284756fc6758f0989f5118017566c94810f6f
                    • Opcode Fuzzy Hash: c12e68af4669c7ebffe4d4da2f85d7cbb8219f4e62b23d3ca95c3471088a8ffe
                    • Instruction Fuzzy Hash: 5E217132215B48C6DA00AB52E88136FA764F74EB84F489536EF9D07725DF3CC5118759
                    Function 00421B60 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                    Download Yara Rule
                    Strings
                    • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 00421C50
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID: gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
                    • API String ID: 0-3110597650
                    • Opcode ID: 95b138d9991054ec6f11f3c02461700914ddf8539f56229ea5deb5f8fc906794
                    • Instruction ID: 53a844a7a84ad01774df71fa157ea2769c62a47828825314014deb0c136a16c9
                    • Opcode Fuzzy Hash: 95b138d9991054ec6f11f3c02461700914ddf8539f56229ea5deb5f8fc906794
                    • Instruction Fuzzy Hash: 5721F2F7B42AC443EF058F15D4803A86722E79AFD8F49A076CF4A5775ACA6CC596C304
                    Function 0042C640 Relevance: .2, Instructions: 231COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 93777dd3814fc503c69b58b28e96303c24bab9db006b93a2883c99640e9c12de
                    • Instruction ID: c35ce2205f4439c9bc33ee611e270b4b6524a6347d7d0b032ba3219efa3bbe4c
                    • Opcode Fuzzy Hash: 93777dd3814fc503c69b58b28e96303c24bab9db006b93a2883c99640e9c12de
                    • Instruction Fuzzy Hash: 54A14776718B8482DB108B26F08025AB7A1F789BD8F545226EFDD53BA9CF3CC051CB44
                    Function 0042DAC0 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 00fca6ffe96d0598eb837d865953b686d33a67bbe900ba1178b2787fa9c7e443
                    • Instruction ID: da070dd6bc55c889b617fafb2509f6d98ecc914ecad407ee4ca492db3da71ad9
                    • Opcode Fuzzy Hash: 00fca6ffe96d0598eb837d865953b686d33a67bbe900ba1178b2787fa9c7e443
                    • Instruction Fuzzy Hash: 08818E76B18B9482DB108F16F4803AAA762F79ABC4F489127EF8D57B59CB7CC091C744
                    Function 0046A800 Relevance: .0, Instructions: 11COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000005.00000002.4017546134.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_5_2_400000_csc.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a256208f17b381db6722f0ed2d02a2297ad36eb4d6491dea5391dd1c04bdc341
                    • Instruction ID: d3223bdf275e84daa4910810eeb1eb334a6769f4471e182a90cf707f9c0d66b9
                    • Opcode Fuzzy Hash: a256208f17b381db6722f0ed2d02a2297ad36eb4d6491dea5391dd1c04bdc341
                    • Instruction Fuzzy Hash: 64C02BF0907FD218FB50C30072003413AC68F043C4D80C081C28801B25F63CD6A2472F

                    Executed Functions

                    Function 00007FFD34721442 Relevance: .2, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2333450654.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd34720000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 0a529b0179c349730eceefe282a267a843ae0c7087502f73dcaebf1263ee9df0
                    • Instruction ID: 971a77711d90eadef39101abdcbb31adc42d0a1611e9580d883dd6b9bcc89930
                    • Opcode Fuzzy Hash: 0a529b0179c349730eceefe282a267a843ae0c7087502f73dcaebf1263ee9df0
                    • Instruction Fuzzy Hash: B951CF3150D7C88FD7578B28A8656A57FF0EF57320F0942DFE089C71A3D668A906CB92
                    Function 00007FFD3472119F Relevance: .1, Instructions: 149COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2333450654.00007FFD34720000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34720000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd34720000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6e8b9d47187cea1e3081c10088e123248bdfb0f1f97d8cac99b9a007bc20e702
                    • Instruction ID: 4857f03e25458b2af8afb744aba0d7ce532cfc997fa8b55a6ff1d53f31e6d717
                    • Opcode Fuzzy Hash: 6e8b9d47187cea1e3081c10088e123248bdfb0f1f97d8cac99b9a007bc20e702
                    • Instruction Fuzzy Hash: 6A41F6A3B0EA854FEB55DA6848A627877D1FF56350F1801BEE08DC71D3DC28BC059781
                    Function 00007FFD346533B5 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000008.00000002.2333078907.00007FFD34650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34650000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_8_2_7ffd34650000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                    • Instruction ID: a7b3ec9e85f60c887bf1ab583759d59287a80f7d629e4d15af53f6682909c868
                    • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                    • Instruction Fuzzy Hash: 3601677121CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3661DA36E892CB45