Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
9GlCWW6bXc.exe

Overview

General Information

Sample name:9GlCWW6bXc.exe
renamed because original name is a hash value
Original sample name:53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df.exe
Analysis ID:1557204
MD5:e03c1771945c884883a82704a93ca453
SHA1:78609d9940ec6e59db7961ec2ac859c68ce81186
SHA256:53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 9GlCWW6bXc.exe (PID: 1644 cmdline: "C:\Users\user\Desktop\9GlCWW6bXc.exe" MD5: E03C1771945C884883A82704A93CA453)
    • powershell.exe (PID: 5524 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9GlCWW6bXc.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3780 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5792 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E03C1771945C884883A82704A93CA453)
  • svchost.exe (PID: 3032 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: E03C1771945C884883A82704A93CA453)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["23.ip.gl.ply.gg"], "Port": 7972, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
9GlCWW6bXc.exeJoeSecurity_XWormYara detected XWormJoe Security
    9GlCWW6bXc.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xb772:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xb80f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xb924:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xacce:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xb772:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0xb80f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0xb924:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xacce:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xb572:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xb60f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xb724:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xaace:$cnc4: POST / HTTP/1.1
        00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xd232:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0xd2cf:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0xd3e4:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0xc78e:$cnc4: POST / HTTP/1.1
          Process Memory Space: 9GlCWW6bXc.exe PID: 1644JoeSecurity_XWormYara detected XWormJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
              0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0xb772:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0xb80f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0xb924:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0xacce:$cnc4: POST / HTTP/1.1
              0.2.9GlCWW6bXc.exe.127c9ac0.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.9GlCWW6bXc.exe.127c9ac0.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x9972:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x9a0f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x9b24:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x8ece:$cnc4: POST / HTTP/1.1
                0.0.9GlCWW6bXc.exe.4a0000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Files With System Process Name In Unsuspected Locations
                  Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\9GlCWW6bXc.exe, ProcessId: 1644, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9GlCWW6bXc.exe", ParentImage: C:\Users\user\Desktop\9GlCWW6bXc.exe, ParentProcessId: 1644, ParentProcessName: 9GlCWW6bXc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', ProcessId: 5524, ProcessName: powershell.exe
                  Sigma detected: System File Execution Location Anomaly
                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5792, ProcessName: svchost.exe
                  Sigma detected: Change PowerShell Policies to an Insecure Level
                  Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9GlCWW6bXc.exe", ParentImage: C:\Users\user\Desktop\9GlCWW6bXc.exe, ParentProcessId: 1644, ParentProcessName: 9GlCWW6bXc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', ProcessId: 5524, ProcessName: powershell.exe
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\9GlCWW6bXc.exe, ProcessId: 1644, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9GlCWW6bXc.exe", ParentImage: C:\Users\user\Desktop\9GlCWW6bXc.exe, ParentProcessId: 1644, ParentProcessName: 9GlCWW6bXc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', ProcessId: 5524, ProcessName: powershell.exe
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\9GlCWW6bXc.exe, ProcessId: 1644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\9GlCWW6bXc.exe", ParentImage: C:\Users\user\Desktop\9GlCWW6bXc.exe, ParentProcessId: 1644, ParentProcessName: 9GlCWW6bXc.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe', ProcessId: 5524, ProcessName: powershell.exe
                  Sigma detected: Windows Processes Suspicious Parent Directory
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 5792, ProcessName: svchost.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-11-17T19:23:05.026396+010028559241Malware Command and Control Activity Detected192.168.2.549986147.185.221.237972TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 9GlCWW6bXc.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
                  Found malware configuration
                  Source: 9GlCWW6bXc.exeMalware Configuration Extractor: Xworm {"C2 url": ["23.ip.gl.ply.gg"], "Port": 7972, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 78%
                  Multi AV Scanner detection for submitted file
                  Source: 9GlCWW6bXc.exeReversingLabs: Detection: 78%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 9GlCWW6bXc.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 9GlCWW6bXc.exeString decryptor: 23.ip.gl.ply.gg
                  Source: 9GlCWW6bXc.exeString decryptor: 7972
                  Source: 9GlCWW6bXc.exeString decryptor: <123456789>
                  Source: 9GlCWW6bXc.exeString decryptor: <Xwormmm>
                  Source: 9GlCWW6bXc.exeString decryptor:
                  Source: 9GlCWW6bXc.exeString decryptor: USB.exe
                  Source: 9GlCWW6bXc.exeString decryptor: %AppData%
                  Source: 9GlCWW6bXc.exeString decryptor: svchost.exe
                  Source: 9GlCWW6bXc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 9GlCWW6bXc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.5:49986 -> 147.185.221.23:7972
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 23.ip.gl.ply.gg
                  Source: global trafficTCP traffic: 192.168.2.5:49916 -> 147.185.221.23:7972
                  Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: 23.ip.gl.ply.gg
                  Source: powershell.exe, 00000002.00000002.2115164661.0000025618ABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2204115142.000001B3274FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2360843088.00000277BF28F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                  Source: powershell.exe, 0000000A.00000002.2427049103.0000022AAB97A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                  Source: powershell.exe, 00000002.00000002.2095808839.0000025608C7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B3176B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB9C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                  Source: 9GlCWW6bXc.exe, 00000000.00000002.3289761520.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2095808839.0000025608A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B317491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: powershell.exe, 00000002.00000002.2095808839.0000025608C7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B3176B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB9C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                  Source: powershell.exe, 0000000A.00000002.2427049103.0000022AAB97A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                  Source: powershell.exe, 00000008.00000002.2382837254.00000277C78E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.micom/pkiops/Docs/ry.htm0
                  Source: powershell.exe, 00000002.00000002.2095808839.0000025608A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B317491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                  Source: powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                  Source: powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                  Source: powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                  Source: powershell.exe, 0000000A.00000002.2427049103.0000022AAB97A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                  Source: powershell.exe, 00000002.00000002.2115164661.0000025618ABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2204115142.000001B3274FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2360843088.00000277BF28F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 9GlCWW6bXc.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.9GlCWW6bXc.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeCode function: 0_2_00007FF848E716890_2_00007FF848E71689
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeCode function: 0_2_00007FF848E783460_2_00007FF848E78346
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeCode function: 0_2_00007FF848E790F20_2_00007FF848E790F2
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeCode function: 0_2_00007FF848E716C90_2_00007FF848E716C9
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F32E118_2_00007FF848F32E11
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 13_2_00007FF848E8168913_2_00007FF848E81689
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 13_2_00007FF848E816C913_2_00007FF848E816C9
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 14_2_00007FF848E5168914_2_00007FF848E51689
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 14_2_00007FF848E516C914_2_00007FF848E516C9
                  Source: 9GlCWW6bXc.exe, 00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exe4 vs 9GlCWW6bXc.exe
                  Source: 9GlCWW6bXc.exe, 00000000.00000000.2025084036.00000000004B0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSolaraBootstrapper.exe4 vs 9GlCWW6bXc.exe
                  Source: 9GlCWW6bXc.exeBinary or memory string: OriginalFilenameSolaraBootstrapper.exe4 vs 9GlCWW6bXc.exe
                  Source: 9GlCWW6bXc.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 9GlCWW6bXc.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.9GlCWW6bXc.exe.4a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 9GlCWW6bXc.exe, 2QV3SuHSGf.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9GlCWW6bXc.exe, 2QV3SuHSGf.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 9GlCWW6bXc.exe, qQEBbTVM3w.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, 2QV3SuHSGf.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, 2QV3SuHSGf.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, qQEBbTVM3w.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, 2QV3SuHSGf.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, 2QV3SuHSGf.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, qQEBbTVM3w.csCryptographic APIs: 'TransformFinalBlock'
                  Source: svchost.exe.0.dr, nMxKvw3uhK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: svchost.exe.0.dr, nMxKvw3uhK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 9GlCWW6bXc.exe, nMxKvw3uhK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 9GlCWW6bXc.exe, nMxKvw3uhK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, nMxKvw3uhK.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, nMxKvw3uhK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@1/1
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeMutant created: \Sessions\1\BaseNamedObjects\FjDXcymf60BpCm14
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
                  Source: 9GlCWW6bXc.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 9GlCWW6bXc.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 9GlCWW6bXc.exeReversingLabs: Detection: 78%
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile read: C:\Users\user\Desktop\9GlCWW6bXc.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\9GlCWW6bXc.exe "C:\Users\user\Desktop\9GlCWW6bXc.exe"
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9GlCWW6bXc.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9GlCWW6bXc.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                  Source: svchost.lnk.0.drLNK file: ..\..\..\..\..\svchost.exe
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 9GlCWW6bXc.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 9GlCWW6bXc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: 9GlCWW6bXc.exe, Mukg7p2oFK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{uQMnml34al.XMGQLauOeK,uQMnml34al.md1dhzzFSw,uQMnml34al.gel9Sc66NW,uQMnml34al._5ihAl6YOqV,_2QV3SuHSGf.r8QHfEQATT()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 9GlCWW6bXc.exe, Mukg7p2oFK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Jji5G7fZH2[2],_2QV3SuHSGf.RBdCBYsLgw(Convert.FromBase64String(Jji5G7fZH2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: svchost.exe.0.dr, Mukg7p2oFK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{uQMnml34al.XMGQLauOeK,uQMnml34al.md1dhzzFSw,uQMnml34al.gel9Sc66NW,uQMnml34al._5ihAl6YOqV,_2QV3SuHSGf.r8QHfEQATT()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: svchost.exe.0.dr, Mukg7p2oFK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Jji5G7fZH2[2],_2QV3SuHSGf.RBdCBYsLgw(Convert.FromBase64String(Jji5G7fZH2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, Mukg7p2oFK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{uQMnml34al.XMGQLauOeK,uQMnml34al.md1dhzzFSw,uQMnml34al.gel9Sc66NW,uQMnml34al._5ihAl6YOqV,_2QV3SuHSGf.r8QHfEQATT()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, Mukg7p2oFK.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Jji5G7fZH2[2],_2QV3SuHSGf.RBdCBYsLgw(Convert.FromBase64String(Jji5G7fZH2[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: 9GlCWW6bXc.exe, Mukg7p2oFK.cs.Net Code: A2aMaTtg1t System.AppDomain.Load(byte[])
                  Source: 9GlCWW6bXc.exe, Mukg7p2oFK.cs.Net Code: _9OOrueBaUn System.AppDomain.Load(byte[])
                  Source: 9GlCWW6bXc.exe, Mukg7p2oFK.cs.Net Code: _9OOrueBaUn
                  Source: svchost.exe.0.dr, Mukg7p2oFK.cs.Net Code: A2aMaTtg1t System.AppDomain.Load(byte[])
                  Source: svchost.exe.0.dr, Mukg7p2oFK.cs.Net Code: _9OOrueBaUn System.AppDomain.Load(byte[])
                  Source: svchost.exe.0.dr, Mukg7p2oFK.cs.Net Code: _9OOrueBaUn
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, Mukg7p2oFK.cs.Net Code: A2aMaTtg1t System.AppDomain.Load(byte[])
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, Mukg7p2oFK.cs.Net Code: _9OOrueBaUn System.AppDomain.Load(byte[])
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, Mukg7p2oFK.cs.Net Code: _9OOrueBaUn
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeCode function: 0_2_00007FF848E700BD pushad ; iretd 0_2_00007FF848E700C1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848D5D2A5 pushad ; iretd 2_2_00007FF848D5D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F42316 push 8B485F93h; iretd 2_2_00007FF848F4231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848D5D2A5 pushad ; iretd 5_2_00007FF848D5D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E7C2C5 push ebx; iretd 5_2_00007FF848E7C2DA
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848E723CD pushad ; retf 5_2_00007FF848E723F1
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FF848F42316 push 8B485F93h; iretd 5_2_00007FF848F4231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848D4D2A5 pushad ; iretd 8_2_00007FF848D4D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FF848F32316 push 8B485F94h; iretd 8_2_00007FF848F3231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848D5D2A5 pushad ; iretd 10_2_00007FF848D5D2A6
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848E70DD0 pushad ; retf 10_2_00007FF848E70E0D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848E70C28 pushad ; retf 10_2_00007FF848E70E0D
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F42316 push 8B485F93h; iretd 10_2_00007FF848F4231B
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FF848F49540 push eax; retf 10_2_00007FF848F49541
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 13_2_00007FF848E800BD pushad ; iretd 13_2_00007FF848E800C1
                  Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 14_2_00007FF848E500BD pushad ; iretd 14_2_00007FF848E500C1
                  Source: 9GlCWW6bXc.exe, l8m8QyDS8X.csHigh entropy of concatenated method names: '_8HrxEHTxTC', 'sYCeVMajyp', 'glj7OHgs79', 'wLIyvbjpIq2DxmZIe7HGLHjUCDt7M05VelHhdMJIBx', 'RNzZgLxP0YSwSIuvyJInR5c1Q4GioB7IPAysP21HNK', '_4RStGNyjSolHYRy9q5xtmaal20J8Bv7BzGW2JnaSQw', 'yTC1bTVRbojux3NUvNgUzsuluoUQFItbb4iONq57Hs', 'qt1VukirRqXJiSDXPJMKDg35wBNlPqEZI5nZd7k6xh', 'mvx2Pxs7et1rJSvRHhVlGNSpYbuSdLf1uUXKsprJi5', 'YXH8rJdl8xeFaTwl5F4ef7LDteAf3DN4oY0jRuuozf'
                  Source: 9GlCWW6bXc.exe, nMxKvw3uhK.csHigh entropy of concatenated method names: 'PIgo5hduH4', 'pfFM5COgAr', 'pmiotvruYJ', 'dvECuKllek', 'tV7tSRVzfU', 'Thnn6Rgd5v', 'UKlNuOakoe', 'Oe44GrSBGK', 'dDWKPO7jwH', 'mX7dNMIsAS'
                  Source: 9GlCWW6bXc.exe, BXOSrcc6bp.csHigh entropy of concatenated method names: '_0tKad5Ja7K', '_2XZvq1DaFP', 'BMmwN5p9oq', 'rsMfU7bvOH', 'sJkIYLKfSN', 'R6WS26aV0R', 'uQZksGH9Ir', 'PGAlNFqUd1', '_6pMdXHANkF', '_24tJViPZiq'
                  Source: 9GlCWW6bXc.exe, cudOUlwWq5.csHigh entropy of concatenated method names: 'rEhUoSI1Eq', 'HyVAAUnPjo', 'UEryRYBtyU', 'ZbR1GbXe2P', 'i1MK4p3jyx', 'rvyFmfnkXv', 'WIan17DeQ4', 'Y0Hpc0jASy', '_2jmiD8N25K', '_3dBe0RZaXD'
                  Source: 9GlCWW6bXc.exe, niA0dYg3sa.csHigh entropy of concatenated method names: 'gGceY6zX2T', 'eFCeSJkntY', 'VCImVtjjiV', '_0xD9CYtSe9', 'hS5m81ihSkTALuaqHmnbZfXx3PrhZRkEblKHCPLjL7', 'VdgmXZtziVG2zX8BZK4mn0Ly1HqODZBSoqDcuUZCsu', 'AqefbICJbDyWtXEbDgvh3hVSb8XF7TwoTy0rW7l2YM', 'QfohcetxrURqj0iwxO6r4HPoO8ouWLc4I4tyfQrVmy', '_18MIz6gsft8cZTBYQdPVMD6aCYiARxy0fwaJex8Z1l', 'Bul0hg1v5Jeu6zyziXibo2Lsxce3lwpBBngBOUIpIC'
                  Source: 9GlCWW6bXc.exe, 2QV3SuHSGf.csHigh entropy of concatenated method names: 'BVZwszDvww', '_00cTUXC9jV', '_0sWPB9fwUP', 'Is7wGVu9o0', '_6k9Bg0Ykjj', 'qJbnX1ETsI', 'JSLZkQAH9G', 'YeHFy9w9Pi', 'fCsc37Xz15', 'IQaOcriwFR'
                  Source: 9GlCWW6bXc.exe, Mukg7p2oFK.csHigh entropy of concatenated method names: '_9wbNs03BPl', 'A2aMaTtg1t', '_05s6S2f7Bk', 'NcKkEzs0xE', 'WOk5ebthNS', 'Q7itTwQ4uI', 'GHu3d29xBl', 'qiXqeGHLN6', 'vxN4n1GZHH', '_7NcJDhAjrL'
                  Source: 9GlCWW6bXc.exe, qQEBbTVM3w.csHigh entropy of concatenated method names: 'rsfcch8qlZ', 'WJx37i3f1lBI0Gi2r0dqXJH7OHsHtcuTy53Dp9PhDL', 'i6MWzrpdlUO3dul6vZHRNOKyIEcKlNyJGfkSioEXXc', '_20uGpy4tiwtHF3ht1P0CPgkRtHsP4lSKp3LJvTilPC', 'OkKdzqIuq0V5vfoxF0LmWhwdLMeHkO3vioIUuyeTrT'
                  Source: svchost.exe.0.dr, l8m8QyDS8X.csHigh entropy of concatenated method names: '_8HrxEHTxTC', 'sYCeVMajyp', 'glj7OHgs79', 'wLIyvbjpIq2DxmZIe7HGLHjUCDt7M05VelHhdMJIBx', 'RNzZgLxP0YSwSIuvyJInR5c1Q4GioB7IPAysP21HNK', '_4RStGNyjSolHYRy9q5xtmaal20J8Bv7BzGW2JnaSQw', 'yTC1bTVRbojux3NUvNgUzsuluoUQFItbb4iONq57Hs', 'qt1VukirRqXJiSDXPJMKDg35wBNlPqEZI5nZd7k6xh', 'mvx2Pxs7et1rJSvRHhVlGNSpYbuSdLf1uUXKsprJi5', 'YXH8rJdl8xeFaTwl5F4ef7LDteAf3DN4oY0jRuuozf'
                  Source: svchost.exe.0.dr, nMxKvw3uhK.csHigh entropy of concatenated method names: 'PIgo5hduH4', 'pfFM5COgAr', 'pmiotvruYJ', 'dvECuKllek', 'tV7tSRVzfU', 'Thnn6Rgd5v', 'UKlNuOakoe', 'Oe44GrSBGK', 'dDWKPO7jwH', 'mX7dNMIsAS'
                  Source: svchost.exe.0.dr, BXOSrcc6bp.csHigh entropy of concatenated method names: '_0tKad5Ja7K', '_2XZvq1DaFP', 'BMmwN5p9oq', 'rsMfU7bvOH', 'sJkIYLKfSN', 'R6WS26aV0R', 'uQZksGH9Ir', 'PGAlNFqUd1', '_6pMdXHANkF', '_24tJViPZiq'
                  Source: svchost.exe.0.dr, cudOUlwWq5.csHigh entropy of concatenated method names: 'rEhUoSI1Eq', 'HyVAAUnPjo', 'UEryRYBtyU', 'ZbR1GbXe2P', 'i1MK4p3jyx', 'rvyFmfnkXv', 'WIan17DeQ4', 'Y0Hpc0jASy', '_2jmiD8N25K', '_3dBe0RZaXD'
                  Source: svchost.exe.0.dr, niA0dYg3sa.csHigh entropy of concatenated method names: 'gGceY6zX2T', 'eFCeSJkntY', 'VCImVtjjiV', '_0xD9CYtSe9', 'hS5m81ihSkTALuaqHmnbZfXx3PrhZRkEblKHCPLjL7', 'VdgmXZtziVG2zX8BZK4mn0Ly1HqODZBSoqDcuUZCsu', 'AqefbICJbDyWtXEbDgvh3hVSb8XF7TwoTy0rW7l2YM', 'QfohcetxrURqj0iwxO6r4HPoO8ouWLc4I4tyfQrVmy', '_18MIz6gsft8cZTBYQdPVMD6aCYiARxy0fwaJex8Z1l', 'Bul0hg1v5Jeu6zyziXibo2Lsxce3lwpBBngBOUIpIC'
                  Source: svchost.exe.0.dr, 2QV3SuHSGf.csHigh entropy of concatenated method names: 'BVZwszDvww', '_00cTUXC9jV', '_0sWPB9fwUP', 'Is7wGVu9o0', '_6k9Bg0Ykjj', 'qJbnX1ETsI', 'JSLZkQAH9G', 'YeHFy9w9Pi', 'fCsc37Xz15', 'IQaOcriwFR'
                  Source: svchost.exe.0.dr, Mukg7p2oFK.csHigh entropy of concatenated method names: '_9wbNs03BPl', 'A2aMaTtg1t', '_05s6S2f7Bk', 'NcKkEzs0xE', 'WOk5ebthNS', 'Q7itTwQ4uI', 'GHu3d29xBl', 'qiXqeGHLN6', 'vxN4n1GZHH', '_7NcJDhAjrL'
                  Source: svchost.exe.0.dr, qQEBbTVM3w.csHigh entropy of concatenated method names: 'rsfcch8qlZ', 'WJx37i3f1lBI0Gi2r0dqXJH7OHsHtcuTy53Dp9PhDL', 'i6MWzrpdlUO3dul6vZHRNOKyIEcKlNyJGfkSioEXXc', '_20uGpy4tiwtHF3ht1P0CPgkRtHsP4lSKp3LJvTilPC', 'OkKdzqIuq0V5vfoxF0LmWhwdLMeHkO3vioIUuyeTrT'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, l8m8QyDS8X.csHigh entropy of concatenated method names: '_8HrxEHTxTC', 'sYCeVMajyp', 'glj7OHgs79', 'wLIyvbjpIq2DxmZIe7HGLHjUCDt7M05VelHhdMJIBx', 'RNzZgLxP0YSwSIuvyJInR5c1Q4GioB7IPAysP21HNK', '_4RStGNyjSolHYRy9q5xtmaal20J8Bv7BzGW2JnaSQw', 'yTC1bTVRbojux3NUvNgUzsuluoUQFItbb4iONq57Hs', 'qt1VukirRqXJiSDXPJMKDg35wBNlPqEZI5nZd7k6xh', 'mvx2Pxs7et1rJSvRHhVlGNSpYbuSdLf1uUXKsprJi5', 'YXH8rJdl8xeFaTwl5F4ef7LDteAf3DN4oY0jRuuozf'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, nMxKvw3uhK.csHigh entropy of concatenated method names: 'PIgo5hduH4', 'pfFM5COgAr', 'pmiotvruYJ', 'dvECuKllek', 'tV7tSRVzfU', 'Thnn6Rgd5v', 'UKlNuOakoe', 'Oe44GrSBGK', 'dDWKPO7jwH', 'mX7dNMIsAS'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, BXOSrcc6bp.csHigh entropy of concatenated method names: '_0tKad5Ja7K', '_2XZvq1DaFP', 'BMmwN5p9oq', 'rsMfU7bvOH', 'sJkIYLKfSN', 'R6WS26aV0R', 'uQZksGH9Ir', 'PGAlNFqUd1', '_6pMdXHANkF', '_24tJViPZiq'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, cudOUlwWq5.csHigh entropy of concatenated method names: 'rEhUoSI1Eq', 'HyVAAUnPjo', 'UEryRYBtyU', 'ZbR1GbXe2P', 'i1MK4p3jyx', 'rvyFmfnkXv', 'WIan17DeQ4', 'Y0Hpc0jASy', '_2jmiD8N25K', '_3dBe0RZaXD'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, niA0dYg3sa.csHigh entropy of concatenated method names: 'gGceY6zX2T', 'eFCeSJkntY', 'VCImVtjjiV', '_0xD9CYtSe9', 'hS5m81ihSkTALuaqHmnbZfXx3PrhZRkEblKHCPLjL7', 'VdgmXZtziVG2zX8BZK4mn0Ly1HqODZBSoqDcuUZCsu', 'AqefbICJbDyWtXEbDgvh3hVSb8XF7TwoTy0rW7l2YM', 'QfohcetxrURqj0iwxO6r4HPoO8ouWLc4I4tyfQrVmy', '_18MIz6gsft8cZTBYQdPVMD6aCYiARxy0fwaJex8Z1l', 'Bul0hg1v5Jeu6zyziXibo2Lsxce3lwpBBngBOUIpIC'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, 2QV3SuHSGf.csHigh entropy of concatenated method names: 'BVZwszDvww', '_00cTUXC9jV', '_0sWPB9fwUP', 'Is7wGVu9o0', '_6k9Bg0Ykjj', 'qJbnX1ETsI', 'JSLZkQAH9G', 'YeHFy9w9Pi', 'fCsc37Xz15', 'IQaOcriwFR'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, Mukg7p2oFK.csHigh entropy of concatenated method names: '_9wbNs03BPl', 'A2aMaTtg1t', '_05s6S2f7Bk', 'NcKkEzs0xE', 'WOk5ebthNS', 'Q7itTwQ4uI', 'GHu3d29xBl', 'qiXqeGHLN6', 'vxN4n1GZHH', '_7NcJDhAjrL'
                  Source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, qQEBbTVM3w.csHigh entropy of concatenated method names: 'rsfcch8qlZ', 'WJx37i3f1lBI0Gi2r0dqXJH7OHsHtcuTy53Dp9PhDL', 'i6MWzrpdlUO3dul6vZHRNOKyIEcKlNyJGfkSioEXXc', '_20uGpy4tiwtHF3ht1P0CPgkRtHsP4lSKp3LJvTilPC', 'OkKdzqIuq0V5vfoxF0LmWhwdLMeHkO3vioIUuyeTrT'

                  Persistence and Installation Behavior

                  barindex
                  Drops PE files with benign system names
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeMemory allocated: 1A7C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: DF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1A9A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 17D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B3A0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWindow / User API: threadDelayed 6637Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWindow / User API: threadDelayed 3187Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5200Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4582Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8175Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1381Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2269Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7183Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7769Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1954Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exe TID: 4424Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6656Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3876Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep count: 2269 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6432Thread sleep count: 7183 > 30Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6504Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4720Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5388Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5244Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
                  Source: 9GlCWW6bXc.exe, 00000000.00000002.3323021726.000000001B4D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe'
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Bypasses PowerShell execution policy
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe'
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9GlCWW6bXc.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeQueries volume information: C:\Users\user\Desktop\9GlCWW6bXc.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: 9GlCWW6bXc.exe, 00000000.00000002.3323021726.000000001B578000.00000004.00000020.00020000.00000000.sdmp, 9GlCWW6bXc.exe, 00000000.00000002.3327253001.000000001C210000.00000004.00000020.00020000.00000000.sdmp, 9GlCWW6bXc.exe, 00000000.00000002.3323021726.000000001B4D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\Desktop\9GlCWW6bXc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 9GlCWW6bXc.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.9GlCWW6bXc.exe.4a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 9GlCWW6bXc.exe PID: 1644, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 9GlCWW6bXc.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.9GlCWW6bXc.exe.127c9ac0.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.9GlCWW6bXc.exe.4a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 9GlCWW6bXc.exe PID: 1644, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		21
                  Registry Run Keys / Startup Folder                  		11
                  Process Injection                  		11
                  Masquerading                  		OS Credential Dumping221
                  Security Software Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  PowerShell                  		1
                  DLL Side-Loading                  		21
                  Registry Run Keys / Startup Folder                  		11
                  Disable or Modify Tools                  		LSASS Memory1
                  Process Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		131
                  Virtualization/Sandbox Evasion                  		Security Account Manager131
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  File and Directory Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials13
                  System Information Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                  Software Packing                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557204 Sample: 9GlCWW6bXc.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 36 23.ip.gl.ply.gg 2->36 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 12 other signatures 2->48 8 9GlCWW6bXc.exe 1 6 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 38 23.ip.gl.ply.gg 147.185.221.23, 49916, 49962, 49981 SALSGIVERUS United States 8->38 34 C:\Users\user\AppData\Roaming\svchost.exe, PE32 8->34 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 Protects its processes via BreakOnTermination flag 8->52 54 Bypasses PowerShell execution policy 8->54 62 2 other signatures 8->62 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 21 8->24         started        56 Antivirus detection for dropped file 13->56 58 Multi AV Scanner detection for dropped file 13->58 60 Machine Learning detection for dropped file 13->60 file6 signatures7 process8 signatures9 40 Loading BitLocker PowerShell Module 17->40 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  9GlCWW6bXc.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
                  9GlCWW6bXc.exe100%AviraTR/Spy.Gen
                  9GlCWW6bXc.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\svchost.exe100%AviraTR/Spy.Gen
                  C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\svchost.exe79%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  23.ip.gl.ply.gg
                  		147.185.221.23
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    23.ip.gl.ply.ggfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2115164661.0000025618ABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2204115142.000001B3274FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2360843088.00000277BF28F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.2427049103.0000022AAB97A000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2095808839.0000025608C7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B3176B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB9C9000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.2427049103.0000022AAB97A000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2095808839.0000025608C7A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B3176B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF449000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB9C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.micom/pkiops/Docs/ry.htm0powershell.exe, 00000008.00000002.2382837254.00000277C78E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2115164661.0000025618ABF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2204115142.000001B3274FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2360843088.00000277BF28F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 0000000A.00000002.2562833084.0000022ABB7BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2095808839.0000025608A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B317491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB751000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name9GlCWW6bXc.exe, 00000000.00000002.3289761520.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2095808839.0000025608A51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2151571426.000001B317491000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2259344986.00000277AF221000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2427049103.0000022AAB751000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.2427049103.0000022AAB97A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                147.185.221.23
                                                		23.ip.gl.ply.ggUnited States
                                                		12087SALSGIVERUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1557204
                                                Start date and time:2024-11-17 19:20:08 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 6m 18s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:15
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:9GlCWW6bXc.exe
                                                renamed because original name is a hash value
                                                Original Sample Name:53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df.exe
                                                Detection:MAL
                                                Classification:mal100.troj.evad.winEXE@15/21@1/1
                                                EGA Information:
                                                • Successful, ratio: 14.3%
                                                HCA Information:
                                                • Successful, ratio: 99%
                                                • Number of executed functions: 65
                                                • Number of non-executed functions: 9
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                • Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target powershell.exe, PID 2300 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 3780 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 5524 because it is empty
                                                • Execution Graph export aborted for target powershell.exe, PID 7084 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 3032 because it is empty
                                                • Execution Graph export aborted for target svchost.exe, PID 5792 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size getting too big, too many NtCreateKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: 9GlCWW6bXc.exe

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                13:21:03API Interceptor56x Sleep call for process: powershell.exe modified
                                                13:21:59API Interceptor172778x Sleep call for process: 9GlCWW6bXc.exe modified
                                                19:22:00AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                19:22:08AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Roaming\svchost.exe
                                                19:22:16AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                147.185.221.23fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                                  EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                    eternal.exeGet hashmaliciousXWormBrowse
                                                      svchost.exeGet hashmaliciousUnknownBrowse
                                                        msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                                          exe030.exeGet hashmaliciousXWormBrowse
                                                            pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                              jkL96SLfWS.exeGet hashmaliciousXWormBrowse
                                                                xtrSvgqQEW.exeGet hashmaliciousXWormBrowse
                                                                  7PRbdkCn03.exeGet hashmaliciousXWormBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    23.ip.gl.ply.ggmsedge_visual_render.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    7PRbdkCn03.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    8Hd0ZExgJz.exeGet hashmaliciousBlank Grabber, Umbral Stealer, XWormBrowse
                                                                    • 147.185.221.23
                                                                    RLesaPFXew.exeGet hashmaliciousSilverRatBrowse
                                                                    • 147.185.221.23
                                                                    r8gcHFIf3x.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    q0SpP6HxtE.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    SALSGIVERUSfiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                                    • 147.185.221.23
                                                                    eternal.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    svchost.exeGet hashmaliciousUnknownBrowse
                                                                    • 147.185.221.23
                                                                    msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    exe030.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    jkL96SLfWS.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    xtrSvgqQEW.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23
                                                                    7PRbdkCn03.exeGet hashmaliciousXWormBrowse
                                                                    • 147.185.221.23

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\AppData\Roaming\svchost.exe
                                                                    File Type:CSV text
                                                                    Category:dropped
                                                                    Size (bytes):654
                                                                    Entropy (8bit):5.380476433908377
                                                                    Encrypted:false
                                                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):64
                                                                    Entropy (8bit):0.34726597513537405
                                                                    Encrypted:false
                                                                    SSDEEP:3:Nlll:Nll
                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                    Malicious:false
                                                                    Preview:@...e...........................................................

                                                                    C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\9GlCWW6bXc.exe
                                                                    File Type:Generic INItialization configuration [WIN]
                                                                    Category:dropped
                                                                    Size (bytes):64
                                                                    Entropy (8bit):3.6722687970803873
                                                                    Encrypted:false
                                                                    SSDEEP:3:rRSFYJKXzovNsr42VjFYJKXzovuEXn:EFYJKDoWr5FYJKDoG+n
                                                                    MD5:DE63D53293EBACE29F3F54832D739D40
                                                                    SHA1:1BC3FEF699C3C2BB7B9A9D63C7E60381263EDA7F
                                                                    SHA-256:A86BA2FC02725E4D97799A622EB68BF2FCC6167D439484624FA2666468BBFB1B
                                                                    SHA-512:10AB83C81F572DBAA99441D2BFD8EC5FF1C4BA84256ACDBD24FEB30A33498B689713EBF767500DAAAD6D188A3B9DC970CF858A6896F4381CEAC1F6A74E1603D0
                                                                    Malicious:false
                                                                    Preview:....### explorer ###..[WIN]r[WIN]....### explorer ###..r[WIN]r

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0e1ks4eg.fd3.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajcbmm4m.zob.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bm5tmmkk.i5m.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ejgd20co.txd.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fpfgkjkl.h3y.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hre4qeyf.m3z.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hwudrs30.oet.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jn0zgzut.cm2.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jus5jvk0.spt.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o233mgxr.4li.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ozyyzhme.iao.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtvekrnf.lmi.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uav1cyzz.mxj.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v4avkrma.pwf.psm1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xe4tdkqj.0r5.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmcqgsxj.cco.ps1

                                                                    Download File
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\9GlCWW6bXc.exe
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Nov 17 17:21:59 2024, mtime=Sun Nov 17 17:21:59 2024, atime=Sun Nov 17 17:21:59 2024, length=261120, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):765
                                                                    Entropy (8bit):5.070079610943939
                                                                    Encrypted:false
                                                                    SSDEEP:12:8mRuC24fRCZ8q88CI4FlsY//hdELHN8Rex9jATmHkmnzAMFmV:8mRu0f888aFZWtqc5AFCzAMFm
                                                                    MD5:BCF198E73FF22F8F992E6A355705DB09
                                                                    SHA1:EB40DC850CF8EA32AD3D67E32F7496E22550C410
                                                                    SHA-256:3CBEDA4A7AC2DF1D51E5709F8C49EB724F7E11FAE0C8F2B656515D445371A2C6
                                                                    SHA-512:0DF48C8B746C2DBC1F2F638EFC49399162CE4618948B9E3196465CAFD03E6131F4DFA94F95ED05ADC388963E93DCB749F2CB55C12FD32A35C172A0D4F9867796
                                                                    Malicious:false
                                                                    Preview:L..................F.... ...4.O..9..4.O..9..4.O..9..........................v.:..DG..Yr?.D..U..k0.&...&...... M........o.9..iFl..9......t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSlqY......B.....................Bdg.A.p.p.D.a.t.a...B.V.1.....qY....Roaming.@......DWSlqY......C.........................R.o.a.m.i.n.g.....b.2.....qY.. .svchost.exe.H......qY..qY......e'.....................)k.s.v.c.h.o.s.t...e.x.e.......Z...............-.......Y............{.......C:\Users\user\AppData\Roaming\svchost.exe........\.....\.....\.....\.....\.s.v.c.h.o.s.t...e.x.e.`.......X.......610930...........hT..CrF.f4... .n.......,...W..hT..CrF.f4... .n.......,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                    C:\Users\user\AppData\Roaming\svchost.exe

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\9GlCWW6bXc.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):261120
                                                                    Entropy (8bit):5.460138478667146
                                                                    Encrypted:false
                                                                    SSDEEP:3072:sH++bXekOTbSiLvAzII9x66AOag74srxxVfPWKvQIFY623:snbGCqONxTGqQI+62
                                                                    MD5:E03C1771945C884883A82704A93CA453
                                                                    SHA1:78609D9940EC6E59DB7961EC2AC859C68CE81186
                                                                    SHA-256:53FFBE2E9C08961A21157BE3A79FE0A33D19EC4BDAE8CF2DC62C27F1FA4097DF
                                                                    SHA-512:ED063720D08C2CD8B674101B5D457795EC570FEE19C1E0747FD708428F7B8AE9736CFC02ACE2FDC0040CC15019163FA86FBA22147C68D77FC22BE95D3343AB6D
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 79%
                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g.....................,........... ........@.. .......................`............@.....................................S........)...................@....................................................... ............... ..H............text...$.... ...................... ..`.rsrc....).......*..................@..@.reloc.......@......................@..B........................H........].........&.....................................................(....*.r...p*. ...*..(....*.r...p*. 9...*.s.........s.........s.........s.........*.r-..p*. *p{.*.rC..p*. .O..*.rY..p*. .(T.*.ro..p*. :...*.r...p*. ....*..((...*.r...p*. .x!.*.r...p*. .R..*"(....+.*&(....&+.*.+5sY... .... .'..oZ...(,...~....-.(G...(9...~....o[...&.-.*.r...p*. S...*.r...p*. .R..*.r...p*. ..1.*.r...p*. ..4.*.r...p*. ...*.r#..p*..............j..................s\..............*"(I...+.*:

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):5.460138478667146
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    • DOS Executable Generic (2002/1) 0.01%
                                                                    File name:9GlCWW6bXc.exe
                                                                    File size:261'120 bytes
                                                                    MD5:e03c1771945c884883a82704a93ca453
                                                                    SHA1:78609d9940ec6e59db7961ec2ac859c68ce81186
                                                                    SHA256:53ffbe2e9c08961a21157be3a79fe0a33d19ec4bdae8cf2dc62c27f1fa4097df
                                                                    SHA512:ed063720d08c2cd8b674101b5d457795ec570fee19c1e0747fd708428f7b8ae9736cfc02ace2fdc0040cc15019163fa86fba22147c68d77fc22be95d3343ab6d
                                                                    SSDEEP:3072:sH++bXekOTbSiLvAzII9x66AOag74srxxVfPWKvQIFY623:snbGCqONxTGqQI+62
                                                                    TLSH:DF44F853BB49CC81D075A3FD4462C6F987272E99A426835B20F5FE67FAB26430D092D2
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8g.....................,........... ........@.. .......................`............@................................

                                                                    File Icon

                                                                    Icon Hash:4d17336d292b0f07

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x40ed1e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x6738C9C3 [Sat Nov 16 16:35:15 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xecc80x53.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x100000x329a2.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x440000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xcd240xce007f5c8a00c2a59ea400fd0d04a34ad5e5False0.5686817354368932data5.898011209790337IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x100000x329a20x32a00461559bb8570beda00ebfd2538cbe3cbFalse0.4222270447530864data5.168150483370865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x440000xc0x2003f73fb47df0b927fdb8c9e02ed851b94False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x102b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7411347517730497
                                                                    RT_ICON0x107180x988Device independent bitmap graphic, 24 x 48 x 32, image size 23040.5913934426229508
                                                                    RT_ICON0x110a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.4978893058161351
                                                                    RT_ICON0x121480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.3844398340248963
                                                                    RT_ICON0x146f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 163840.32144544166273026
                                                                    RT_ICON0x189180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 207360.3004158964879852
                                                                    RT_ICON0x1dda00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 368640.2586977086398991
                                                                    RT_ICON0x272480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.22999231042233526
                                                                    RT_ICON0x37a700xaa4ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9830038075141061
                                                                    RT_GROUP_ICON0x424c00x84data0.7121212121212122
                                                                    RT_VERSION0x425440x274data0.4538216560509554
                                                                    RT_MANIFEST0x427b80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-11-17T19:23:05.026396+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.549986147.185.221.237972TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 17, 2024 19:22:00.545480013 CET499167972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:00.550445080 CET797249916147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:00.550533056 CET499167972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:00.674417019 CET499167972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:00.680912018 CET797249916147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:09.028208017 CET797249916147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:09.028367996 CET499167972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:09.152597904 CET499167972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:09.157413960 CET797249916147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:09.160053015 CET499627972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:09.165067911 CET797249962147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:09.165157080 CET499627972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:09.339807987 CET499627972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:09.344641924 CET797249962147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:17.640249014 CET797249962147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:17.640321970 CET499627972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:19.150594950 CET499627972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:19.155518055 CET797249962147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:19.159348965 CET499817972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:19.164432049 CET797249981147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:19.164509058 CET499817972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:19.263782024 CET499817972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:19.269166946 CET797249981147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:27.649024963 CET797249981147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:27.649108887 CET499817972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:27.725229979 CET499817972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:27.726700068 CET499837972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:27.738482952 CET797249981147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:27.740048885 CET797249983147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:27.740143061 CET499837972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:27.756469011 CET499837972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:27.761482954 CET797249983147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:36.239965916 CET797249983147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:36.240148067 CET499837972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:37.554322004 CET499837972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:37.556617975 CET499847972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:37.559381008 CET797249983147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:37.561495066 CET797249984147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:37.561583996 CET499847972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:37.586379051 CET499847972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:37.591387987 CET797249984147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:46.058492899 CET797249984147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:46.058587074 CET499847972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:47.288079023 CET499847972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:47.293622971 CET797249984147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:47.294521093 CET499857972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:47.299779892 CET797249985147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:47.299875975 CET499857972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:47.327095985 CET499857972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:47.332393885 CET797249985147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:55.796679020 CET797249985147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:55.796827078 CET499857972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:56.615896940 CET499857972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:56.617479086 CET499867972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:56.620986938 CET797249985147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:56.622945070 CET797249986147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:22:56.623341084 CET499867972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:56.642493963 CET499867972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:22:56.647495985 CET797249986147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:23:05.026396036 CET499867972192.168.2.5147.185.221.23
                                                                    Nov 17, 2024 19:23:05.031393051 CET797249986147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:23:05.119564056 CET797249986147.185.221.23192.168.2.5
                                                                    Nov 17, 2024 19:23:05.119636059 CET499867972192.168.2.5147.185.221.23

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Nov 17, 2024 19:22:00.526530981 CET5408153192.168.2.51.1.1.1
                                                                    Nov 17, 2024 19:22:00.539527893 CET53540811.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Nov 17, 2024 19:22:00.526530981 CET192.168.2.51.1.1.10xe174Standard query (0)23.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Nov 17, 2024 19:22:00.539527893 CET1.1.1.1192.168.2.50xe174No error (0)23.ip.gl.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:13:20:59
                                                                    Start date:17/11/2024
                                                                    Path:C:\Users\user\Desktop\9GlCWW6bXc.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\Desktop\9GlCWW6bXc.exe"
                                                                    Imagebase:0x4a0000
                                                                    File size:261'120 bytes
                                                                    MD5 hash:E03C1771945C884883A82704A93CA453
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.2025052692.00000000004A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.3319151670.00000000127C8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                    Reputation:low
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:2
                                                                    Start time:13:21:02
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\9GlCWW6bXc.exe'
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:13:21:02
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:5
                                                                    Start time:13:21:09
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '9GlCWW6bXc.exe'
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:6
                                                                    Start time:13:21:09
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:13:21:19
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\svchost.exe'
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:9
                                                                    Start time:13:21:19
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:10
                                                                    Start time:13:21:36
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                                    Imagebase:0x7ff7be880000
                                                                    File size:452'608 bytes
                                                                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:13:21:36
                                                                    Start date:17/11/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:13
                                                                    Start time:13:22:08
                                                                    Start date:17/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                    Imagebase:0x590000
                                                                    File size:261'120 bytes
                                                                    MD5 hash:E03C1771945C884883A82704A93CA453
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                                                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 79%, ReversingLabs
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:14
                                                                    Start time:13:22:16
                                                                    Start date:17/11/2024
                                                                    Path:C:\Users\user\AppData\Roaming\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                                                                    Imagebase:0xf70000
                                                                    File size:261'120 bytes
                                                                    MD5 hash:E03C1771945C884883A82704A93CA453
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:20.3%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:6
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 4514 7ff848e72f58 4515 7ff848e72f61 RtlSetProcessIsCritical 4514->4515 4517 7ff848e73032 4515->4517 4518 7ff848e73478 4519 7ff848e73481 SetWindowsHookExW 4518->4519 4521 7ff848e73551 4519->4521

                                                                      Executed Functions

                                                                      Function 00007FF848E71689 Relevance: .7, Instructions: 673COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 335 7ff848e71689-7ff848e71698 336 7ff848e716df-7ff848e71700 335->336 337 7ff848e7169a-7ff848e716b7 335->337 339 7ff848e71d9c-7ff848e71de3 336->339 340 7ff848e71706-7ff848e71714 call 7ff848e70558 336->340 341 7ff848e716b9-7ff848e716c5 337->341 345 7ff848e71719-7ff848e71835 call 7ff848e70558 * 7 call 7ff848e70688 340->345 382 7ff848e7183e call 7ff848e70490 345->382 383 7ff848e71837 345->383 385 7ff848e71843-7ff848e718af call 7ff848e70358 call 7ff848e70368 382->385 383->382 395 7ff848e718c2-7ff848e718d2 385->395 396 7ff848e718b1-7ff848e718bb 385->396 399 7ff848e718fa 395->399 400 7ff848e718d4-7ff848e718f3 call 7ff848e70358 395->400 396->395 402 7ff848e71904-7ff848e7191a 399->402 400->399 406 7ff848e7191c-7ff848e71926 call 7ff848e70378 402->406 407 7ff848e7192b-7ff848e71955 call 7ff848e71188 402->407 406->407 412 7ff848e7195a-7ff848e7196b 407->412 414 7ff848e71975-7ff848e7198d call 7ff848e70388 412->414 416 7ff848e71992-7ff848e71996 414->416 417 7ff848e719a2-7ff848e719b4 call 7ff848e70398 416->417 420 7ff848e719be-7ff848e719e5 417->420 422 7ff848e719ec-7ff848e719f8 420->422 423 7ff848e71a04-7ff848e71a34 422->423 428 7ff848e71a3f-7ff848e71a67 423->428 429 7ff848e71a6e-7ff848e71a76 428->429 430 7ff848e71a78-7ff848e71aab 429->430 431 7ff848e71ac4-7ff848e71af7 429->431 430->431 438 7ff848e71aad-7ff848e71aba 430->438 442 7ff848e71b1c-7ff848e71b4c 431->442 443 7ff848e71af9-7ff848e71b13 431->443 438->431 441 7ff848e71abc-7ff848e71ac2 438->441 441->431 444 7ff848e71b54-7ff848e71b8b 442->444 445 7ff848e71b1a 443->445 451 7ff848e71b8d-7ff848e71bae 444->451 452 7ff848e71bb0-7ff848e71be0 444->452 445->444 453 7ff848e71be8-7ff848e71bfd 451->453 452->453 456 7ff848e71bff-7ff848e71c24 453->456 457 7ff848e71c2b-7ff848e71c32 456->457 458 7ff848e71c34-7ff848e71c49 call 7ff848e703a8 457->458 460 7ff848e71c4e-7ff848e71c54 458->460 461 7ff848e71c5b-7ff848e71c5c call 7ff848e70628 460->461 463 7ff848e71c61-7ff848e71cab 461->463 468 7ff848e71cb2-7ff848e71cb3 463->468 469 7ff848e71cba-7ff848e71cc0 call 7ff848e70f18 468->469 472 7ff848e71cc8-7ff848e71cca 469->472 473 7ff848e71ccc call 7ff848e71108 472->473 474 7ff848e71cd1-7ff848e71d5f 472->474 473->474
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3329120296.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848e70000_9GlCWW6bXc.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e801ee9d140cca91ad831a1fead254710603f65e730bbebea323444b24d49759
                                                                      • Instruction ID: c81e8f945a7987b7772d58b65907f4a8d3a17f4f6f3ba0120af7e1cf4b097039
                                                                      • Opcode Fuzzy Hash: e801ee9d140cca91ad831a1fead254710603f65e730bbebea323444b24d49759
                                                                      • Instruction Fuzzy Hash: DB22B371E2CA4A5FE798FB3894596BAB7D2FF88780F440579D00EC3292DF39A8418745
                                                                      Function 00007FF848E716C9 Relevance: .6, Instructions: 574COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3329120296.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848e70000_9GlCWW6bXc.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2f79f4342cca97dc4fe1f79c7b6ea95cf8636976fe4016ff00b1de11e41047be
                                                                      • Instruction ID: c6018621a3fc190ae4f897ba5dc12ae201af72a642b05a4ab97f6ca1f1be9bf1
                                                                      • Opcode Fuzzy Hash: 2f79f4342cca97dc4fe1f79c7b6ea95cf8636976fe4016ff00b1de11e41047be
                                                                      • Instruction Fuzzy Hash: 1D02B130E2DA4A5FE798FB3894596BA77D2FF88780F4405B9D00EC32D6DE39A8018745
                                                                      Function 00007FF848E78346 Relevance: .5, Instructions: 477COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 671 7ff848e78346-7ff848e78353 672 7ff848e7835e-7ff848e78427 671->672 673 7ff848e78355-7ff848e7835d 671->673 677 7ff848e78429-7ff848e78432 672->677 678 7ff848e78493 672->678 673->672 677->678 679 7ff848e78434-7ff848e78440 677->679 680 7ff848e78495-7ff848e784ba 678->680 681 7ff848e78479-7ff848e78491 679->681 682 7ff848e78442-7ff848e78454 679->682 686 7ff848e784bc-7ff848e784c5 680->686 687 7ff848e78526 680->687 681->680 684 7ff848e78458-7ff848e7846b 682->684 685 7ff848e78456 682->685 684->684 688 7ff848e7846d-7ff848e78475 684->688 685->684 686->687 689 7ff848e784c7-7ff848e784d3 686->689 690 7ff848e78528-7ff848e785d0 687->690 688->681 691 7ff848e7850c-7ff848e78524 689->691 692 7ff848e784d5-7ff848e784e7 689->692 701 7ff848e7863e 690->701 702 7ff848e785d2-7ff848e785dc 690->702 691->690 693 7ff848e784eb-7ff848e784fe 692->693 694 7ff848e784e9 692->694 693->693 696 7ff848e78500-7ff848e78508 693->696 694->693 696->691 704 7ff848e78640-7ff848e78669 701->704 702->701 703 7ff848e785de-7ff848e785eb 702->703 705 7ff848e785ed-7ff848e785ff 703->705 706 7ff848e78624-7ff848e7863c 703->706 711 7ff848e7866b-7ff848e78676 704->711 712 7ff848e786d3 704->712 707 7ff848e78603-7ff848e78616 705->707 708 7ff848e78601 705->708 706->704 707->707 710 7ff848e78618-7ff848e78620 707->710 708->707 710->706 711->712 714 7ff848e78678-7ff848e78686 711->714 713 7ff848e786d5-7ff848e78766 712->713 722 7ff848e7876c-7ff848e7877b 713->722 715 7ff848e786bf-7ff848e786d1 714->715 716 7ff848e78688-7ff848e7869a 714->716 715->713 717 7ff848e7869e-7ff848e786b1 716->717 718 7ff848e7869c 716->718 717->717 720 7ff848e786b3-7ff848e786bb 717->720 718->717 720->715 723 7ff848e7877d 722->723 724 7ff848e78783-7ff848e787e8 call 7ff848e78804 722->724 723->724 731 7ff848e787ef-7ff848e78803 724->731 732 7ff848e787ea 724->732 732->731
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3329120296.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848e70000_9GlCWW6bXc.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: aad75ad6d961baa802378966a3ac6ed7b1d09c78794a287630ef5bed4ed9fdcb
                                                                      • Instruction ID: bc4b555a6b989f678e8231168a584342670b32483e9ec14266866a0fb8aaf914
                                                                      • Opcode Fuzzy Hash: aad75ad6d961baa802378966a3ac6ed7b1d09c78794a287630ef5bed4ed9fdcb
                                                                      • Instruction Fuzzy Hash: F6F1A33090CA8D8FEBA8EF28C8557E937D1FF64350F04426AE85DC7291DF7499458B86
                                                                      Function 00007FF848E790F2 Relevance: .5, Instructions: 463COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 733 7ff848e790f2-7ff848e790ff 734 7ff848e7910a-7ff848e791d7 733->734 735 7ff848e79101-7ff848e79109 733->735 739 7ff848e791d9-7ff848e791e2 734->739 740 7ff848e79243 734->740 735->734 739->740 741 7ff848e791e4-7ff848e791f0 739->741 742 7ff848e79245-7ff848e7926a 740->742 743 7ff848e79229-7ff848e79241 741->743 744 7ff848e791f2-7ff848e79204 741->744 748 7ff848e7926c-7ff848e79275 742->748 749 7ff848e792d6 742->749 743->742 745 7ff848e79208-7ff848e7921b 744->745 746 7ff848e79206 744->746 745->745 750 7ff848e7921d-7ff848e79225 745->750 746->745 748->749 751 7ff848e79277-7ff848e79283 748->751 752 7ff848e792d8-7ff848e792fd 749->752 750->743 753 7ff848e792bc-7ff848e792d4 751->753 754 7ff848e79285-7ff848e79297 751->754 759 7ff848e792ff-7ff848e79309 752->759 760 7ff848e7936b 752->760 753->752 755 7ff848e7929b-7ff848e792ae 754->755 756 7ff848e79299 754->756 755->755 758 7ff848e792b0-7ff848e792b8 755->758 756->755 758->753 759->760 762 7ff848e7930b-7ff848e79318 759->762 761 7ff848e7936d-7ff848e7939b 760->761 769 7ff848e7939d-7ff848e793a8 761->769 770 7ff848e7940b 761->770 763 7ff848e7931a-7ff848e7932c 762->763 764 7ff848e79351-7ff848e79369 762->764 766 7ff848e7932e 763->766 767 7ff848e79330-7ff848e79343 763->767 764->761 766->767 767->767 768 7ff848e79345-7ff848e7934d 767->768 768->764 769->770 771 7ff848e793aa-7ff848e793b8 769->771 772 7ff848e7940d-7ff848e794e5 770->772 773 7ff848e793ba-7ff848e793cc 771->773 774 7ff848e793f1-7ff848e79409 771->774 782 7ff848e794eb-7ff848e794fa 772->782 776 7ff848e793ce 773->776 777 7ff848e793d0-7ff848e793e3 773->777 774->772 776->777 777->777 779 7ff848e793e5-7ff848e793ed 777->779 779->774 783 7ff848e794fc 782->783 784 7ff848e79502-7ff848e79564 call 7ff848e79580 782->784 783->784 791 7ff848e7956b-7ff848e7957f 784->791 792 7ff848e79566 784->792 792->791
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3329120296.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848e70000_9GlCWW6bXc.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 758f6da204aa714a95227e4cfa8b090f3a8ca2170d3858b68b69feb67848aaa8
                                                                      • Instruction ID: 74d6e5fda3fb9ca33a295e02d30097444c8b18e8e0d998cd797f77b71e494ce2
                                                                      • Opcode Fuzzy Hash: 758f6da204aa714a95227e4cfa8b090f3a8ca2170d3858b68b69feb67848aaa8
                                                                      • Instruction Fuzzy Hash: 1FE1C23090CA8D8FEBA9EF28D8557E977E1FF54350F04426AD80DC7295DF7898818B81
                                                                      Function 00007FF848E73478 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 207 7ff848e73478-7ff848e7347f 208 7ff848e7348a-7ff848e734fd 207->208 209 7ff848e73481-7ff848e73489 207->209 213 7ff848e73589-7ff848e7358d 208->213 214 7ff848e73503-7ff848e73510 208->214 209->208 215 7ff848e73512-7ff848e7354f SetWindowsHookExW 213->215 214->215 216 7ff848e73557-7ff848e73588 215->216 217 7ff848e73551 215->217 217->216
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3329120296.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848e70000_9GlCWW6bXc.jbxd
                                                                      Similarity
                                                                      • API ID: HookWindows
                                                                      • String ID:
                                                                      • API String ID: 2559412058-0
                                                                      • Opcode ID: 7012f469165c8b8f9d7b40e99551610b5ac0974216fd8337cf3618e2df28fbf5
                                                                      • Instruction ID: 50b086020db8c1ecde26090e905ff904a1d9129811774ac8f50cde087f53bea5
                                                                      • Opcode Fuzzy Hash: 7012f469165c8b8f9d7b40e99551610b5ac0974216fd8337cf3618e2df28fbf5
                                                                      • Instruction Fuzzy Hash: 4041F23090CA4C8FDB58EB6CD8466F9BBE1FB59361F00027ED009C3292DA74A8128781
                                                                      Function 00007FF848E72F58 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 221 7ff848e72f58-7ff848e73030 RtlSetProcessIsCritical 227 7ff848e73038-7ff848e7306d 221->227 228 7ff848e73032 221->228 228->227
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.3329120296.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_7ff848e70000_9GlCWW6bXc.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalProcess
                                                                      • String ID:
                                                                      • API String ID: 2695349919-0
                                                                      • Opcode ID: ebbcf7ba23cd3f62946e59ee1c38c152b60b0adeab0fd007244b157ca94033ee
                                                                      • Instruction ID: a3d3689e9b2e57dd1694aa04f697eb275fc38aa019550cc8a8a1eca31efda1da
                                                                      • Opcode Fuzzy Hash: ebbcf7ba23cd3f62946e59ee1c38c152b60b0adeab0fd007244b157ca94033ee
                                                                      • Instruction Fuzzy Hash: EF41E33190CA488FDB28EB98E8456F97BE0FF55311F04412ED48AD3692DB30A846CB91

                                                                      Executed Functions

                                                                      Function 00007FF848F46605 Relevance: .4, Instructions: 437COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2123305777.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 61e79d328a7f5262f023365f61d2af9373d497a28dd1193beed3914426021922
                                                                      • Instruction ID: 13e59b3976c7278e1691e7c2f7d986fe4a841d250a108888539d6259e75ccc24
                                                                      • Opcode Fuzzy Hash: 61e79d328a7f5262f023365f61d2af9373d497a28dd1193beed3914426021922
                                                                      • Instruction Fuzzy Hash: 4FD16331D0EA8A5FF799AB2858145B57BA0EF26B94F1801FFD00DDB0D3EA1CA805C755
                                                                      Function 00007FF848E7AAFA Relevance: .3, Instructions: 316COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122928015.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9167868e931b2fa8fac7d0dafb5f997d2b359d14738dba848ba0cff8afdd365c
                                                                      • Instruction ID: a859cb6ed86ebce0ebc85abf3a4ba6ec6388ccf8b841c648eddf008b40f27f12
                                                                      • Opcode Fuzzy Hash: 9167868e931b2fa8fac7d0dafb5f997d2b359d14738dba848ba0cff8afdd365c
                                                                      • Instruction Fuzzy Hash: 02813D7390DA995FE319AA3CECA54F43B90FF52665F0802FBD088CA093EE2558478355
                                                                      Function 00007FF848E7A71C Relevance: .2, Instructions: 198COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122928015.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 29b37447c673cc64ffaaa128926b89c5f6f23f117529ec76a06781991417af9b
                                                                      • Instruction ID: d0f882565b2bf26d5714d3d36c700e87b8673e2c2ac8ee395d1f6370c4bbab5b
                                                                      • Opcode Fuzzy Hash: 29b37447c673cc64ffaaa128926b89c5f6f23f117529ec76a06781991417af9b
                                                                      • Instruction Fuzzy Hash: 4D51793190DB854FE30AEB28D8958B47BE0FF56354F1404BED48AC71A3EA29A843C741
                                                                      Function 00007FF848D5E620 Relevance: .1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122491154.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848d5d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26cc3182b486df6964f2fdc2886275138073663e7ce80195df41e4a4986967a1
                                                                      • Instruction ID: 225627467143d6506f1b0144e97ca7de8dcc0abf3b25b7a92ab20b20a6e94375
                                                                      • Opcode Fuzzy Hash: 26cc3182b486df6964f2fdc2886275138073663e7ce80195df41e4a4986967a1
                                                                      • Instruction Fuzzy Hash: AD41277180EBC44FE756AB389845A527FF0EF57360F1505DFD088CB1A3D625A84AC7A2
                                                                      Function 00007FF848E79768 Relevance: .1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122928015.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1281d56d1e96eb60999d33eb83f75a3d704b56adb5cb9db318510286de4c0574
                                                                      • Instruction ID: 677d1f6721f25417daebaff5a858978d34da77912275a907434206ec433a454e
                                                                      • Opcode Fuzzy Hash: 1281d56d1e96eb60999d33eb83f75a3d704b56adb5cb9db318510286de4c0574
                                                                      • Instruction Fuzzy Hash: 6A31E83191CB489FDB5CEF5CA8066B977E0FB99710F00422FE44993252DB75A856CBC2
                                                                      Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122928015.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45
                                                                      Function 00007FF848F4414D Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2123305777.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 69626128285789c7fad31b5d2ac96fca2e567ed79dbb3d2fbf7c763a49065598
                                                                      • Instruction ID: bdf875db202c8b026955b0eabe2e2883432de979a962ec6228cc3d88e3a9fef6
                                                                      • Opcode Fuzzy Hash: 69626128285789c7fad31b5d2ac96fca2e567ed79dbb3d2fbf7c763a49065598
                                                                      • Instruction Fuzzy Hash: A8F09031A0D5058FD659EB0CE4008A473E0FFA4364B1100BBE01DD71A3CB25EC408758
                                                                      Function 00007FF848F44400 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2123305777.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bd231a2f3095a519d9f87badc1e9bd4f22cf2d49bb7c3c988cfb8f7e1ff270d0
                                                                      • Instruction ID: 01c15f5385eebff1f67441c54edc01eb972ba8cc755f42a637601458ee4d8c96
                                                                      • Opcode Fuzzy Hash: bd231a2f3095a519d9f87badc1e9bd4f22cf2d49bb7c3c988cfb8f7e1ff270d0
                                                                      • Instruction Fuzzy Hash: 70F0BE31A0D5448FD754EB0CE4408A8B3F0FF54724B1100F7E119D70A3DB25AC608754
                                                                      Function 00007FF848E7A0E8 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122928015.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e7ae431a98d0a2fc6b9f973bcd61e44bd54ecca76c330d6be900fab6a1e98d8c
                                                                      • Instruction ID: 7a92529717a7c37e44496b74d74a5844ed75de3fca9f47ac856e9455e976f8ec
                                                                      • Opcode Fuzzy Hash: e7ae431a98d0a2fc6b9f973bcd61e44bd54ecca76c330d6be900fab6a1e98d8c
                                                                      • Instruction Fuzzy Hash: 06F0A03690D98C8FDB48EF2898594E57FE0FB65601B4501ABE40DD7162DB319998CB82
                                                                      Function 00007FF848F441D1 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2123305777.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction ID: d76d88544f8f17bf3ee0e6656c2ee5cd95f71ee8ab9b11c39950933bcc316587
                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction Fuzzy Hash: 94E01A31B0C8088FDA69EB0CE0409A973E1FBB8365B1101B7D14EE75A1CB22EC518B84

                                                                      Non-executed Functions

                                                                      Function 00007FF848E78995 Relevance: 5.1, Strings: 4, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122928015.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M_^$M_^$M_^$M_^
                                                                      • API String ID: 0-1397233021
                                                                      • Opcode ID: e4e42d2e5754d8af95348d538003c24b4b7065bbb60eb113fdf5a4c06d4f30ca
                                                                      • Instruction ID: ba226d79ac383a9b8aea4a96e46b212a01865d0dd372ff05411b995a3bc313c5
                                                                      • Opcode Fuzzy Hash: e4e42d2e5754d8af95348d538003c24b4b7065bbb60eb113fdf5a4c06d4f30ca
                                                                      • Instruction Fuzzy Hash: 8A41B5A3D0E6D25FE34B962858650E57F90FF723A4B0D42F7C5988B093EE2C540B935A
                                                                      Function 00007FF848E78BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2122928015.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M_^4$M_^7$M_^F$M_^J
                                                                      • API String ID: 0-622050427
                                                                      • Opcode ID: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                      • Instruction ID: 725765fdab5eb4fc6dc0b808c9c5322b07e5f4148511d7d2ba618ef3c928e049
                                                                      • Opcode Fuzzy Hash: 0952385b8bdb8dc4856a798c81327935ad6e11df2551058c8feb274a0171bac6
                                                                      • Instruction Fuzzy Hash: 0F2129F7649865AED30A7B7DF8045E93740DF942B4B8953B2E098CB083FE1470868ED4

                                                                      Executed Functions

                                                                      Function 00007FF848F46605 Relevance: 1.7, Strings: 1, Instructions: 438COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2227628858.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: X7I'
                                                                      • API String ID: 0-2322090595
                                                                      • Opcode ID: 2eb2d4b94bd742ac852d016746b2e841ab955941eb62a8c9406a87ca94eb8633
                                                                      • Instruction ID: 0ebdff246342868d6a759a30330b506c69b6bd83aaabe87f1ac490905c22d457
                                                                      • Opcode Fuzzy Hash: 2eb2d4b94bd742ac852d016746b2e841ab955941eb62a8c9406a87ca94eb8633
                                                                      • Instruction Fuzzy Hash: 22D16331E0EA8A5FF799AB2858145B57BA0EF26B90F1801FBD00DDB1D3EE18A804C755
                                                                      Function 00007FF848E7A848 Relevance: .2, Instructions: 188COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6146e9803f32b9cbbeb57eb244b346341191c5807029ad53b20a37160dd88cd3
                                                                      • Instruction ID: 1e46e77545e0ee48522eccd4176943f7c1da03c4e88996de50d2442e7d3c8692
                                                                      • Opcode Fuzzy Hash: 6146e9803f32b9cbbeb57eb244b346341191c5807029ad53b20a37160dd88cd3
                                                                      • Instruction Fuzzy Hash: CC51563190CB858FE30AEB28D8998707BE0FF56354B1801BED4C9C71A3EE25A843C756
                                                                      Function 00007FF848D5F280 Relevance: .1, Instructions: 128COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226166317.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848d5d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12c524d72a833d7cf3db129c3c14e1f05c31d9cd9921eb287eb5f19911300d43
                                                                      • Instruction ID: 64716fac3e7a3178c67be5568c148f9e47feafeaa4cb47a875e697afcac34575
                                                                      • Opcode Fuzzy Hash: 12c524d72a833d7cf3db129c3c14e1f05c31d9cd9921eb287eb5f19911300d43
                                                                      • Instruction Fuzzy Hash: F641167180EBC44FE75A9B28A845A523FF0EF56260B1501DFD488CF1A7D625A84AC792
                                                                      Function 00007FF848E7A75C Relevance: .1, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d8c404e99b975b78c1cd695c08905191e512c27012a62f60282a98db5f5b529b
                                                                      • Instruction ID: 894725fd250753f72b715b0a1634a2101df57ec99c6045161168b657bbe17cda
                                                                      • Opcode Fuzzy Hash: d8c404e99b975b78c1cd695c08905191e512c27012a62f60282a98db5f5b529b
                                                                      • Instruction Fuzzy Hash: A531F63190DB8C8FEB59DB6898496E97FE0EF66321F0441AFC048C7153DA74584ACB92
                                                                      Function 00007FF848E797C9 Relevance: .1, Instructions: 112COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 65ed9327cee6364b162a536f27684ea230b2ce2d43462be6e2c3d61aba981a75
                                                                      • Instruction ID: f16fcd7b93d8925d4e9822eacca60254b1cf73f4dac93d104a267fc5d366e46c
                                                                      • Opcode Fuzzy Hash: 65ed9327cee6364b162a536f27684ea230b2ce2d43462be6e2c3d61aba981a75
                                                                      • Instruction Fuzzy Hash: 6A31933191CB4C9FDB1CAB5CA846AA97BE0FB99711F00422FE449D3251DB71A8568BC2
                                                                      Function 00007FF848E7A0FB Relevance: .1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6aebc14283a2f71f29c7cddede92b29f4db06676d0931f0511f76c94ebfca768
                                                                      • Instruction ID: 12795469e0c986734cf451412c8b6df285b24b654007da252eb6feb6831ef310
                                                                      • Opcode Fuzzy Hash: 6aebc14283a2f71f29c7cddede92b29f4db06676d0931f0511f76c94ebfca768
                                                                      • Instruction Fuzzy Hash: 3D01F5BA94DAC94FDB55EF3CAC550E57F90FF26211F0402ABD048C7092EB259849CB81
                                                                      Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45
                                                                      Function 00007FF848F4414D Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2227628858.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d17d8053aaff5fbe8338b8d79cdd0c323500432d514a8c409ca4f1fd96344410
                                                                      • Instruction ID: f792091696503b3c5837913d903d6ebbde57f14096e40bc4b21711e6120e484a
                                                                      • Opcode Fuzzy Hash: d17d8053aaff5fbe8338b8d79cdd0c323500432d514a8c409ca4f1fd96344410
                                                                      • Instruction Fuzzy Hash: 63F09031A0D5058FD759EB0CE4004A473E0FFA4364B1100BBE01DD71A3CB25EC508758
                                                                      Function 00007FF848F44400 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2227628858.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 20fe35511f9e42a29a2dbba9e0e186e6189ed6a698095a14ebdf9c5b8cc13377
                                                                      • Instruction ID: 14bbc8b06583cdc9af6c6b15f6384f6dcad0b823c3a02df95b097d97b9b6c2f4
                                                                      • Opcode Fuzzy Hash: 20fe35511f9e42a29a2dbba9e0e186e6189ed6a698095a14ebdf9c5b8cc13377
                                                                      • Instruction Fuzzy Hash: DCF0BE31A0E5448FD754EB0CE4408A8B7F0FF54724B1100F7E109D70A3DB26AC608754
                                                                      Function 00007FF848F441D1 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2227628858.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction ID: d76d88544f8f17bf3ee0e6656c2ee5cd95f71ee8ab9b11c39950933bcc316587
                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction Fuzzy Hash: 94E01A31B0C8088FDA69EB0CE0409A973E1FBB8365B1101B7D14EE75A1CB22EC518B84

                                                                      Non-executed Functions

                                                                      Function 00007FF848E78BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                      • API String ID: 0-962139525
                                                                      • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                      • Instruction ID: 63ad6347c9b35d5a557e4d70a1f235b63e22809effe47ae7a8015eb5b1719947
                                                                      • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                      • Instruction Fuzzy Hash: 6721D7F3684925AED209366DB8419EC7780EF543B978A53F3E028CF153EE1864878A95
                                                                      Function 00007FF848E789F2 Relevance: 7.6, Strings: 6, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M_^$M_^$M_^$M_^$M_^$M_^
                                                                      • API String ID: 0-3353809593
                                                                      • Opcode ID: e8c7cb211a31137934f76370ac5327aad9ea0df2f2245e27d193e4ce3d81ec61
                                                                      • Instruction ID: 3d74721c715a443774a31a777526042432cc5683371949a0d32fca35137503d6
                                                                      • Opcode Fuzzy Hash: e8c7cb211a31137934f76370ac5327aad9ea0df2f2245e27d193e4ce3d81ec61
                                                                      • Instruction Fuzzy Hash: 483173A3E0D9E64FE29B962918690617BD1FF71694F4D02F6C4988A0D3FE29DC03921D
                                                                      Function 00007FF848E789D5 Relevance: 6.4, Strings: 5, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2226956123.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M_^$M_^$M_^$M_^$M_^
                                                                      • API String ID: 0-679677686
                                                                      • Opcode ID: f3d0029fe726b44f3bf84be37297bce6b81919026b1dd82fb7b695122ab9af68
                                                                      • Instruction ID: e80c1c428010f3ad764365b3552d700ddbcd7d5f271ce917a4d2e6bd2f8b3858
                                                                      • Opcode Fuzzy Hash: f3d0029fe726b44f3bf84be37297bce6b81919026b1dd82fb7b695122ab9af68
                                                                      • Instruction Fuzzy Hash: B94194A2D0D9E35FE29A663818650A57B80FF716D8F4D02F6C4988A0D3FE28D803925D

                                                                      Executed Functions

                                                                      Function 00007FF848F36605 Relevance: .4, Instructions: 436COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2389207846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1d56bf8921e7778e0a872c890c07e2d71fb26398a1f6ea55cd9a3dea3a75db11
                                                                      • Instruction ID: 4b0a0cfe0354f21d9dd77e424dd3bcb2fc3d16eb3291d3de64543f8fa18c6a9d
                                                                      • Opcode Fuzzy Hash: 1d56bf8921e7778e0a872c890c07e2d71fb26398a1f6ea55cd9a3dea3a75db11
                                                                      • Instruction Fuzzy Hash: 28D11131E0EB8A5FE799AB2858155B57BE0EF1A394F1801FBD04DCB1D3EE18A8058355
                                                                      Function 00007FF848E6B238 Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2388223136.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0be62010a17a7c424e13c5b0caf9e3dd92c225781f77562cc0416dc0c3c574b9
                                                                      • Instruction ID: 236e7754b431970f6baa8f3d1ba6ed1aab6bd0815e7a5b4d83225a3ecd4ccbd0
                                                                      • Opcode Fuzzy Hash: 0be62010a17a7c424e13c5b0caf9e3dd92c225781f77562cc0416dc0c3c574b9
                                                                      • Instruction Fuzzy Hash: 8E913530A1CA898FE749EF18C4856B9BBE1FF95351F1400BEC08AC7197EA75B846CB41
                                                                      Function 00007FF848E69728 Relevance: .1, Instructions: 145COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2388223136.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c3d3dc62348fbc992572b67831d29300c667f9e1c4b7adda065dedb284a9b824
                                                                      • Instruction ID: 280f47a7dd0bcf158a6b9f2946ac1120613458e6ae3db18dc6e4db76ec6c18d4
                                                                      • Opcode Fuzzy Hash: c3d3dc62348fbc992572b67831d29300c667f9e1c4b7adda065dedb284a9b824
                                                                      • Instruction Fuzzy Hash: D2412871D0CB888FDB59AF1CA8066B8BBE1FB55710F04816FD44993292DB34B856CBC2
                                                                      Function 00007FF848E69FFB Relevance: .1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2388223136.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1a73811ae0aff8e01f12bc7028c51b9a437a4ffa04392c18fd2a56b0fb8e9e8
                                                                      • Instruction ID: abfd75fa2b339132f6ff3288dfea1314f4d3e07d870fcaa19a526eefcfce023c
                                                                      • Opcode Fuzzy Hash: e1a73811ae0aff8e01f12bc7028c51b9a437a4ffa04392c18fd2a56b0fb8e9e8
                                                                      • Instruction Fuzzy Hash: 584103B6D1DAC54FD756AB3898540E13FA0FF22396B4900FBC184C7053EE68642AC795
                                                                      Function 00007FF848D4E540 Relevance: .1, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2387281027.00007FF848D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D4D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848d4d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd1949fd12599be100039b2600e346729d37ee0ec59158bfa079a87002f4c784
                                                                      • Instruction ID: 717bf51fbbe3d9ee12f1d033f46d419e5f269cd0c03fcfe0ef7709fc9f916104
                                                                      • Opcode Fuzzy Hash: cd1949fd12599be100039b2600e346729d37ee0ec59158bfa079a87002f4c784
                                                                      • Instruction Fuzzy Hash: 9941E47080EBC45FE7969B399C45A523FF0EF56360F1506DFD088CB1A3D629A84AC792
                                                                      Function 00007FF848E633B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2388223136.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                      • Instruction ID: bc0586010bb7648f8a9788ff2eea40288e3a4c6b570a1a89675a5d11dfb431f3
                                                                      • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                      • Instruction Fuzzy Hash: CC01A73010CB0D4FDB44EF0CE051AA6B3E0FB85360F10052DE58AC3651DB32E882CB45
                                                                      Function 00007FF848F34148 Relevance: .0, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2389207846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 83c802b590283bbbcf9a3bea2c495db3cae1b9b415869db4a7f6cdff194429cb
                                                                      • Instruction ID: ddd26bf57c4c79d31a757ddac668e839a94665b486bba9b29dbbf492a6d7e08c
                                                                      • Opcode Fuzzy Hash: 83c802b590283bbbcf9a3bea2c495db3cae1b9b415869db4a7f6cdff194429cb
                                                                      • Instruction Fuzzy Hash: B8F06D31A0D9458FD75ABB5CE4008A877E0EF65360B1500B6E06DC71A3CB29EC418758
                                                                      Function 00007FF848F343FB Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2389207846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c81943c1cba7d1272489cda4ea47c4c249d9491bb21834d0bcee8246461428ab
                                                                      • Instruction ID: 7e1111af3c637864d91e1695c3e74007b299b48f681815e6bc455fb47f879e0e
                                                                      • Opcode Fuzzy Hash: c81943c1cba7d1272489cda4ea47c4c249d9491bb21834d0bcee8246461428ab
                                                                      • Instruction Fuzzy Hash: D7F09A31A0D5458FEB54AB58E4408A8B7F0EF65360B1500F6E059C70A3DB2AEC608B64
                                                                      Function 00007FF848F341D1 Relevance: .0, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2389207846.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848f30000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction ID: 09613a87b3afa4a6477601c675d6bc6428512a03b2ca1351243ad063737339a8
                                                                      • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                      • Instruction Fuzzy Hash: 34E01A31B0C8088FDAAAEB4CE0409A973E1FBB8361B1101B7D14EC75A1CB22EC518B84

                                                                      Non-executed Functions

                                                                      Function 00007FF848E68BFA Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2388223136.00007FF848E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E60000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_7ff848e60000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: N_^6$N_^<$N_^F$N_^I$N_^J
                                                                      • API String ID: 0-4116931533
                                                                      • Opcode ID: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
                                                                      • Instruction ID: ec3f6b674769187948be21f018cfc7cd61f94dc8a3c8c5b4e41ef41863a4ea89
                                                                      • Opcode Fuzzy Hash: 8201c494a57edf1f917aa58f11816ee0842afcba423ac7bfc73ad6212f0e6841
                                                                      • Instruction Fuzzy Hash: 6721F3A77498266FD30977ADBC105E86780EB942B6B4841B3D358CB503DA14608B8BD5

                                                                      Executed Functions

                                                                      Function 00007FF848F46605 Relevance: .4, Instructions: 433COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2604377646.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8eea04ea93226b4dd0c02732355eed773098e829a43ce243532fa2b8f7eab121
                                                                      • Instruction ID: 908b3f3edee0ac934986a335393748fa0b36760b05f5b9ee2cce84760cc89142
                                                                      • Opcode Fuzzy Hash: 8eea04ea93226b4dd0c02732355eed773098e829a43ce243532fa2b8f7eab121
                                                                      • Instruction Fuzzy Hash: 7CD14331D0EA8A5FF799AB2858145B57BA0EF26B90F1801FBD04DDB0D3EE1CA805C755
                                                                      Function 00007FF848E7A0D3 Relevance: .3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2603130139.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8c8b0f9f3c90a8a79ed06edb62dafbe515bf55d3340fd7c9f6c9c9afe6e94093
                                                                      • Instruction ID: 063ed415245a57cbcd75aeb944533b7fc148ffcc2bc1eb19686892fd2cac5424
                                                                      • Opcode Fuzzy Hash: 8c8b0f9f3c90a8a79ed06edb62dafbe515bf55d3340fd7c9f6c9c9afe6e94093
                                                                      • Instruction Fuzzy Hash: FC219D6691E7C95FD707AB38A8650E47FB0EF23255B0D01E7D088CF0A3DA184849C7A2
                                                                      Function 00007FF848F44073 Relevance: .2, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2604377646.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 884e5e272b2a22cae724e5fe661326d91601ddbce97784a91b1329ea91bf2146
                                                                      • Instruction ID: 3371f23675bbe1e09a0cd972b8f0f264461894efe2ad76c067c7c6b04205df15
                                                                      • Opcode Fuzzy Hash: 884e5e272b2a22cae724e5fe661326d91601ddbce97784a91b1329ea91bf2146
                                                                      • Instruction Fuzzy Hash: B051F432A0EA864FE79AEB2C541167477E2FFB5664F1801BBC04EE71D3DE14E8158345
                                                                      Function 00007FF848F44370 Relevance: .1, Instructions: 147COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2604377646.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 06460b20b2508a968733a1bcfc3e69bc58713802c07c197ca778a998c3a7a31f
                                                                      • Instruction ID: f5cdb222fe9415a6d2be1b5b07382e22e82e611a3837f5efdfddc3938e2ab0c8
                                                                      • Opcode Fuzzy Hash: 06460b20b2508a968733a1bcfc3e69bc58713802c07c197ca778a998c3a7a31f
                                                                      • Instruction Fuzzy Hash: A1412932E0EA854FE7A9E72864005B477E1EF61B64F0801FBC049E71D7EB18AC118385
                                                                      Function 00007FF848E79770 Relevance: .1, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2603130139.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e0d8a932b3ee452c7b83bb199bc2bc33e6371b113a2efe14a9600fa47cc35744
                                                                      • Instruction ID: b42480c1714996df18f73c60b50bb9fdb43596c736b177ffcb02f11eb38c75a9
                                                                      • Opcode Fuzzy Hash: e0d8a932b3ee452c7b83bb199bc2bc33e6371b113a2efe14a9600fa47cc35744
                                                                      • Instruction Fuzzy Hash: 1D41F87191CB889FDB1DDF1CA8066B97BE0FB99710F04426FD449C3292DA74A806CBC6
                                                                      Function 00007FF848D5EB80 Relevance: .1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2601734738.00007FF848D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848D5D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848d5d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 486fbec981a35ad680a69f6ab59193762a31d060441926b82b4e1836b87de328
                                                                      • Instruction ID: 9d3cd968900dadfb9b347c4ae8540b5d6bdd75898f5b50695894202ce1170542
                                                                      • Opcode Fuzzy Hash: 486fbec981a35ad680a69f6ab59193762a31d060441926b82b4e1836b87de328
                                                                      • Instruction Fuzzy Hash: 51415A7180EBC44FE756AB389845A623FF0EF52361F0501DFD089CB1A3D725A80AC792
                                                                      Function 00007FF848E7A64C Relevance: .1, Instructions: 99COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2603130139.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ad4091d79e8d3b07c6969137b7dbb4fa9db78b42c47a0286a318344c23b9f4ce
                                                                      • Instruction ID: d7b98ecc3a5b9803b04b6c4a19486bfa91f0b14e967dff16c8260c791f9cc064
                                                                      • Opcode Fuzzy Hash: ad4091d79e8d3b07c6969137b7dbb4fa9db78b42c47a0286a318344c23b9f4ce
                                                                      • Instruction Fuzzy Hash: D121283190CB8C8FEB59DBAC984A7E97FE0EB96320F04416FD048C3156DA749446CB92
                                                                      Function 00007FF848F440BF Relevance: .1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2604377646.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 40ff4c1fd027f8c9edfdc7debb863a3d2544ab024360bcb4b1ddb86b4b8920e8
                                                                      • Instruction ID: 4f3d292488bccff04316d97801dc6316d1c70f3276b3066f92e09971ff4a7b33
                                                                      • Opcode Fuzzy Hash: 40ff4c1fd027f8c9edfdc7debb863a3d2544ab024360bcb4b1ddb86b4b8920e8
                                                                      • Instruction Fuzzy Hash: 9D21AC32E0EA874FE7AAEB2C545117466D2FFB4A98F5901BAC04EE71D2CF18DC158249
                                                                      Function 00007FF848F443BC Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2604377646.00007FF848F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848f40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 71f7d1253eeb5ee140ae6a1f55659b7102257ee0c0163ffa3c5dd217318445a8
                                                                      • Instruction ID: 8df65923ae2ce46ccec5e899571d7b05a676d18f2d7dbd0144c548fbd4cbec52
                                                                      • Opcode Fuzzy Hash: 71f7d1253eeb5ee140ae6a1f55659b7102257ee0c0163ffa3c5dd217318445a8
                                                                      • Instruction Fuzzy Hash: F611C132D0F5854FE7A5E72894545B877D1FF60A68F5800FAD04DE71D2DB18AC108389
                                                                      Function 00007FF848E733B5 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2603130139.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction ID: 24ef75c526cb65825109a4e7586d62867e1718cfd4eae63a3c90891dd0916743
                                                                      • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                      • Instruction Fuzzy Hash: CF01677111CB0D4FDB44EF0CE451AA6B7E0FB95364F50056DE58AC3691DB36E882CB45

                                                                      Non-executed Functions

                                                                      Function 00007FF848E78BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2603130139.00007FF848E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E70000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_7ff848e70000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                      • API String ID: 0-962139525
                                                                      • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                      • Instruction ID: 63ad6347c9b35d5a557e4d70a1f235b63e22809effe47ae7a8015eb5b1719947
                                                                      • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                      • Instruction Fuzzy Hash: 6721D7F3684925AED209366DB8419EC7780EF543B978A53F3E028CF153EE1864878A95

                                                                      Executed Functions

                                                                      Function 00007FF848E81689 Relevance: .7, Instructions: 672COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4e2b492ce9869bb4562afaaee9c3cca845bb43666107e14c30741889cecfec87
                                                                      • Instruction ID: 4749038d61037b00a26702be22155e8f2c10b4cf9824216d9f6bf53f8ba0a199
                                                                      • Opcode Fuzzy Hash: 4e2b492ce9869bb4562afaaee9c3cca845bb43666107e14c30741889cecfec87
                                                                      • Instruction Fuzzy Hash: C2229E30E2DA495FE798FB2C94596BDB7D2FF88781F8405B9D04EC3292DE38A8418745
                                                                      Function 00007FF848E816C9 Relevance: .6, Instructions: 573COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5b11409b7d72a023a9bcd98a7b5d0e88b20c9ffe46613d96694ee74b0b6a04bd
                                                                      • Instruction ID: 86d308ce95c5fbd01111c6896316cddbc4b603d5540bc5a9699a37fa8b243949
                                                                      • Opcode Fuzzy Hash: 5b11409b7d72a023a9bcd98a7b5d0e88b20c9ffe46613d96694ee74b0b6a04bd
                                                                      • Instruction Fuzzy Hash: B2028F20F2DA495FE798FB2C94696BD76D2FF88781F8405B9D00EC32D2DE39A8018755
                                                                      Function 00007FF848E811F2 Relevance: .5, Instructions: 544COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8ffcf42b0b4bf1572564432abd91f554ff867a0c74d3fff7e040d28839c9ba97
                                                                      • Instruction ID: d651176033026b5edba108dc5bff435ff0ff06592a1cdce71f1bf95efaa1ef4d
                                                                      • Opcode Fuzzy Hash: 8ffcf42b0b4bf1572564432abd91f554ff867a0c74d3fff7e040d28839c9ba97
                                                                      • Instruction Fuzzy Hash: D421D162E1DA5A5FE748F7A898651FD7BE1FF44280F8841BAC00AD72D2DF2928028744
                                                                      Function 00007FF848E80C3E Relevance: .2, Instructions: 179COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2d67df979132b1befbbf13dd19f94e83543be639a0c5ed17e274254a84b3983f
                                                                      • Instruction ID: ee32108e3cb42554c55ba535dc067dd1fb7f078631cf031aca681f46bb6b2289
                                                                      • Opcode Fuzzy Hash: 2d67df979132b1befbbf13dd19f94e83543be639a0c5ed17e274254a84b3983f
                                                                      • Instruction Fuzzy Hash: D1512521A0EBC61FE396B73C98562797BE1EF87650B0900FAD48DC7197DD2C5C428362
                                                                      Function 00007FF848E80AD1 Relevance: .1, Instructions: 131COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 80a84b20062a2a093dbfd1e08e08b6369f0439b2181df5966192b68ef28e59cf
                                                                      • Instruction ID: a4d091a85ca97457722930afda3f962244b3d4b9d651c3b81c160da35bc8ac21
                                                                      • Opcode Fuzzy Hash: 80a84b20062a2a093dbfd1e08e08b6369f0439b2181df5966192b68ef28e59cf
                                                                      • Instruction Fuzzy Hash: FD31C221F1D9095FE748B7AC58593BDB7D1FF98791F4402B6E40CC3282DE3858418761
                                                                      Function 00007FF848E80985 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f5c30f06ea8c20c37ab392124f960853766e47a0035371fe90489a51441e90b5
                                                                      • Instruction ID: cfeaa8710f46e7841e9d0a6c81114b633b34b73cadff86f331a1e737eaa8b33b
                                                                      • Opcode Fuzzy Hash: f5c30f06ea8c20c37ab392124f960853766e47a0035371fe90489a51441e90b5
                                                                      • Instruction Fuzzy Hash: 33318D30E19A0D9FDB48FB68D4656FEB7A1FF88341F944579D009C3286DE39A8418B54
                                                                      Function 00007FF848E81F49 Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4d3fce79c5252200c70845229a7b02b508ef3b5660490fa72d34af15ac7a8315
                                                                      • Instruction ID: 40c536fe9f8fe624be6dae8549e8e76dd5a2c8f1253de44fb5a6acd90df10633
                                                                      • Opcode Fuzzy Hash: 4d3fce79c5252200c70845229a7b02b508ef3b5660490fa72d34af15ac7a8315
                                                                      • Instruction Fuzzy Hash: BF217130B1DA494FE788EB2C945A379B6C2EF98741F1405BEE04EC3297DE689C418345
                                                                      Function 00007FF848E80855 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 797975716656e87ae0b807cc6b6174dfb60be1548fe15a0561e03546a84b7da1
                                                                      • Instruction ID: b3347d1e749436cff03f77ab515eefd141803e3ef6c5dc4437c79ce32a2cee44
                                                                      • Opcode Fuzzy Hash: 797975716656e87ae0b807cc6b6174dfb60be1548fe15a0561e03546a84b7da1
                                                                      • Instruction Fuzzy Hash: AC31BC71E4EB8D5FD348EB2C94A55B8BFA1FF85200F8840ADD009CB29ADF346900C765
                                                                      Function 00007FF848E82041 Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a8d00f04e2a5d77a98f865b30afc9db283a175767757e7cea5b5cbc9b9028fe
                                                                      • Instruction ID: f04378dae2a27b02e060a1d9edc7223c6674b63a1c0aac5f15e7f8bde37eedb1
                                                                      • Opcode Fuzzy Hash: 2a8d00f04e2a5d77a98f865b30afc9db283a175767757e7cea5b5cbc9b9028fe
                                                                      • Instruction Fuzzy Hash: A8014714D0D7811FE341B638585447A7FE0EF92281F4804BBD889CB197DA289985C396
                                                                      Function 00007FF848E81190 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b41c1b33e32f5b18e45f6afe6947033b412194b6b20a3fd69a1bbfb32332788d
                                                                      • Instruction ID: bdee1bfecdbc56b86d2a4105c4237e54252717309abf79f101dbbebfe74aff43
                                                                      • Opcode Fuzzy Hash: b41c1b33e32f5b18e45f6afe6947033b412194b6b20a3fd69a1bbfb32332788d
                                                                      • Instruction Fuzzy Hash: 9FD09732C1C9194FD2E8E92CB0082B9F3E0FB842D0F4800BBD86CD3260CAB60C42438A

                                                                      Non-executed Functions

                                                                      Function 00007FF848E806FA Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2754949915.00007FF848E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_7ff848e80000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <M_^$=M_^$M_^j$M_^p
                                                                      • API String ID: 0-3547729567
                                                                      • Opcode ID: 2677639b37ea7cca31071ba513882365fc9051664c2c4d8116abd0dbbe42f19c
                                                                      • Instruction ID: df1ea9382b86ee76ef55f5e6256979ce57919b2b8f1e8d84cff9dde3c5e2b7ae
                                                                      • Opcode Fuzzy Hash: 2677639b37ea7cca31071ba513882365fc9051664c2c4d8116abd0dbbe42f19c
                                                                      • Instruction Fuzzy Hash: 2431CCE7A8D956ADE14636AC64421FC3780FF503A4F4D8676C5ACCB1C3DE38604A49B9

                                                                      Executed Functions

                                                                      Function 00007FF848E51689 Relevance: .7, Instructions: 673COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 09155ed0b738629fc84feb30fdc1aa4157c4f2df4e8f15e17b211440127557d1
                                                                      • Instruction ID: 125766cf27ef97e7069e3f4eef94d33d3ccf34cdc8cfefcd1010a2f451abc69f
                                                                      • Opcode Fuzzy Hash: 09155ed0b738629fc84feb30fdc1aa4157c4f2df4e8f15e17b211440127557d1
                                                                      • Instruction Fuzzy Hash: 1C22E170A2CA499FE798FB7884592B9B7D2FF88785F440579E04EC32D2DF39A8018745
                                                                      Function 00007FF848E516C9 Relevance: .6, Instructions: 574COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ea1f34948cfba20442872abe8773efca8b9b94c27dd1ca06a084a9acdd2ae15c
                                                                      • Instruction ID: ae3c6544365c415a9d0572df5fa88b8fb85c621b4b470deb22ad40b0845162f8
                                                                      • Opcode Fuzzy Hash: ea1f34948cfba20442872abe8773efca8b9b94c27dd1ca06a084a9acdd2ae15c
                                                                      • Instruction Fuzzy Hash: 2B02E560E2DA495FE798FB7884592B9B7D2FF88785F4405B9E00EC32D2DF39A8018745
                                                                      Function 00007FF848E50C3E Relevance: .2, Instructions: 179COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12f64fa2c68f8206e84ee9fbb279aaac4342717e14e3f9f84c965741efaa513b
                                                                      • Instruction ID: b48e298753db5e042586a1249981eee4c3dc51a8f0745bcc9fc16534574ced9d
                                                                      • Opcode Fuzzy Hash: 12f64fa2c68f8206e84ee9fbb279aaac4342717e14e3f9f84c965741efaa513b
                                                                      • Instruction Fuzzy Hash: F4512621A0EBC61FE396B77898662757BE1EF87660B0900FBD08DC7197DD1C5C428362
                                                                      Function 00007FF848E50AD1 Relevance: .1, Instructions: 132COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0734f4f2ee6939c4ba03cc14b34c9bc0561beaa3704df7c7c60da5d666eee8fc
                                                                      • Instruction ID: 8b2f4ead89ed71354e0ef207cd69a93a7ebafca0c0c6a13a142c6c668f695aed
                                                                      • Opcode Fuzzy Hash: 0734f4f2ee6939c4ba03cc14b34c9bc0561beaa3704df7c7c60da5d666eee8fc
                                                                      • Instruction Fuzzy Hash: 3631B361F1D90A5FE788BBB858593B9B7D1FF98791F084276E40DC3282DE2898018752
                                                                      Function 00007FF848E50985 Relevance: .1, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3ab1c902235bdce5243b3c55e60c9e525257ee3b4ed070fa7e36e5fece3e9ea4
                                                                      • Instruction ID: 242a28389e8df6573c3f6e164910b99c54f30c36546d390dac5b76c4bec3e601
                                                                      • Opcode Fuzzy Hash: 3ab1c902235bdce5243b3c55e60c9e525257ee3b4ed070fa7e36e5fece3e9ea4
                                                                      • Instruction Fuzzy Hash: DF31A030A1990D9FEB48FBA8C4556EEB7E1FF88341F544575D009C3286CF38A841CB54
                                                                      Function 00007FF848E51F49 Relevance: .1, Instructions: 104COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 94762acbf84d9c6a3930606772311d66d92dc1da0d4aa29474099b6a26ae7ca1
                                                                      • Instruction ID: 4cd30e48fffa0b9199d6ed839f4819853b0a2bf360e1da3c621e6883b20fe417
                                                                      • Opcode Fuzzy Hash: 94762acbf84d9c6a3930606772311d66d92dc1da0d4aa29474099b6a26ae7ca1
                                                                      • Instruction Fuzzy Hash: 63217130B1DA494FE788FB6C985A379B6C2EF98741F0405BEE04EC3297DE689C418345
                                                                      Function 00007FF848E50855 Relevance: .1, Instructions: 91COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 217a43b3d9fe16acf0c989427c9ba8e215635be48e903d64eabd19096346af27
                                                                      • Instruction ID: 9a239243543f41f83c36761447dbdb81e82d62fb69be6aa40038f68d78cd47a0
                                                                      • Opcode Fuzzy Hash: 217a43b3d9fe16acf0c989427c9ba8e215635be48e903d64eabd19096346af27
                                                                      • Instruction Fuzzy Hash: 4731D224A1D98D9FE389FB6C80A45A8BBA1FF85314B8840A9D449C72A7DF645800C799
                                                                      Function 00007FF848E52041 Relevance: .0, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5e83f544f8f6aa01287f30ed2a3afefefc2d636245f43dce1c2fa63140522ace
                                                                      • Instruction ID: ee5662d5116ecb54c58b32da3095e6375d810d0a492ab9dae5d7e3717e5c1717
                                                                      • Opcode Fuzzy Hash: 5e83f544f8f6aa01287f30ed2a3afefefc2d636245f43dce1c2fa63140522ace
                                                                      • Instruction Fuzzy Hash: 29017644A0EA851FE341B67C5854472BFE0EF93281F0804FBE8C9CB1D7EB289885C396
                                                                      Function 00007FF848E51190 Relevance: .0, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 480e21f6dc09c4afda11fa3c1778ab9637fc917181bc5d001ea2e4e405d39a8c
                                                                      • Instruction ID: efde833ec051abfece2c82b8114d3c98ffc3fcce796aa72a273d0028cffceb55
                                                                      • Opcode Fuzzy Hash: 480e21f6dc09c4afda11fa3c1778ab9637fc917181bc5d001ea2e4e405d39a8c
                                                                      • Instruction Fuzzy Hash: 3FD0A772D18C194FD2A8EA6CB0092B5F7E0FB546D5F1905BBE82CD3364C5F65C82438A
                                                                      Function 00007FF848E515E2 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0af4e63885abf22ea3e50b008cc51d4d3864a9d53a2966ae1d107fe5f285e8dd
                                                                      • Instruction ID: b0422cabbce46b891025de9e2a586432f6f8ea03318fd297c07a3f5066c35adf
                                                                      • Opcode Fuzzy Hash: 0af4e63885abf22ea3e50b008cc51d4d3864a9d53a2966ae1d107fe5f285e8dd
                                                                      • Instruction Fuzzy Hash: FDD05E61E2981B8EE788FBA888555FEE3B1FF546C0F4454B4D019D22C3DF3528418204

                                                                      Non-executed Functions

                                                                      Function 00007FF848E506FA Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2837348744.00007FF848E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848E50000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_7ff848e50000_svchost.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: <P_^$=P_^$P_^j$P_^p
                                                                      • API String ID: 0-44659116
                                                                      • Opcode ID: 496d11295e1f36811eabf340c615bf5d8b0208dc9552b4b8763b614475b23f59
                                                                      • Instruction ID: c7f48a3ba71bca35cdb374d2bd13400276076cc0fd49091bd45f37cf729cf4ab
                                                                      • Opcode Fuzzy Hash: 496d11295e1f36811eabf340c615bf5d8b0208dc9552b4b8763b614475b23f59
                                                                      • Instruction Fuzzy Hash: 1D3108D7A8D8166EF20536ECA4822EC6784FF507B4F4C8536D5DC8A1C3DE28344A49AD