Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
exe003.exe

Overview

General Information

Sample name:exe003.exe
Analysis ID:1560741
MD5:4cdcc052cbfa29daccd43389d7c5afd2
SHA1:c3bffb079f6b5bf2ef63b8e14d199b72b4be8ee2
SHA256:78886dd99890f1d9d9bcf8cd1a89c2bd0bb74d26e3693602cc7d33c3fd6ecbd4
Tags:exemalwareuser-Joker
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Drops PE files with benign system names
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • exe003.exe (PID: 4132 cmdline: "C:\Users\user\Desktop\exe003.exe" MD5: 4CDCC052CBFA29DACCD43389D7C5AFD2)
    • powershell.exe (PID: 4080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 5296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5628 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'exe003.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3480 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5940 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 4352 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 4CDCC052CBFA29DACCD43389D7C5AFD2)
  • svchost.exe (PID: 6924 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 4CDCC052CBFA29DACCD43389D7C5AFD2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["22.ip.gl.ply.gg"], "Port": 37805, "Aes key": "<1072549621>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
exe003.exeJoeSecurity_XWormYara detected XWormJoe Security
    exe003.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xff81:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x1001e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x10133:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xefb0:$cnc4: POST / HTTP/1.1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\svchost.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Local\Temp\svchost.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0xff81:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1001e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x10133:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0xefb0:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0xfd81:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0xfe1e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0xff33:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0xedb0:$cnc4: POST / HTTP/1.1
        Process Memory Space: exe003.exe PID: 4132JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.exe003.exe.130000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.exe003.exe.130000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0xff81:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x1001e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x10133:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0xefb0:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\exe003.exe, ProcessId: 4132, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
            Sigma detected: New RUN Key Pointing to Suspicious Folder
            Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\exe003.exe, ProcessId: 4132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\exe003.exe", ParentImage: C:\Users\user\Desktop\exe003.exe, ParentProcessId: 4132, ParentProcessName: exe003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', ProcessId: 4080, ProcessName: powershell.exe
            Sigma detected: Script Interpreter Execution From Suspicious Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\exe003.exe", ParentImage: C:\Users\user\Desktop\exe003.exe, ParentProcessId: 4132, ParentProcessName: exe003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe', ProcessId: 3480, ProcessName: powershell.exe
            Sigma detected: Suspicious Script Execution From Temp Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\exe003.exe", ParentImage: C:\Users\user\Desktop\exe003.exe, ParentProcessId: 4132, ParentProcessName: exe003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe', ProcessId: 3480, ProcessName: powershell.exe
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 4352, ProcessName: svchost.exe
            Sigma detected: Change PowerShell Policies to an Insecure Level
            Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\exe003.exe", ParentImage: C:\Users\user\Desktop\exe003.exe, ParentProcessId: 4132, ParentProcessName: exe003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', ProcessId: 4080, ProcessName: powershell.exe
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\svchost.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\exe003.exe, ProcessId: 4132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\exe003.exe", ParentImage: C:\Users\user\Desktop\exe003.exe, ParentProcessId: 4132, ParentProcessName: exe003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', ProcessId: 4080, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\exe003.exe, ProcessId: 4132, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\exe003.exe", ParentImage: C:\Users\user\Desktop\exe003.exe, ParentProcessId: 4132, ParentProcessName: exe003.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe', ProcessId: 4080, ProcessName: powershell.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 4352, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: exe003.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Spy.Gen
            Found malware configuration
            Source: exe003.exeMalware Configuration Extractor: Xworm {"C2 url": ["22.ip.gl.ply.gg"], "Port": 37805, "Aes key": "<1072549621>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 81%
            Multi AV Scanner detection for submitted file
            Source: exe003.exeReversingLabs: Detection: 81%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: exe003.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: exe003.exeString decryptor: 22.ip.gl.ply.gg
            Source: exe003.exeString decryptor: 37805
            Source: exe003.exeString decryptor: <1072549621>
            Source: exe003.exeString decryptor: <Xwormmm>
            Source: exe003.exeString decryptor: ss
            Source: exe003.exeString decryptor: USB.exe
            Source: exe003.exeString decryptor: %Temp%
            Source: exe003.exeString decryptor: svchost.exe
            Source: exe003.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: exe003.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 22.ip.gl.ply.gg
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 147.185.221.22 ports 0,37805,3,5,7,8
            Source: global trafficTCP traffic: 192.168.2.8:49712 -> 147.185.221.22:37805
            Source: Joe Sandbox ViewIP Address: 147.185.221.22 147.185.221.22
            Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficDNS traffic detected: DNS query: 22.ip.gl.ply.gg
            Source: powershell.exe, 00000002.00000002.1562126879.000001A66D58C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.m20
            Source: powershell.exe, 0000000A.00000002.2028287088.0000019B6E4B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.mic
            Source: powershell.exe, 00000002.00000002.1552703985.000001A610070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1644558408.0000017969600000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1798500948.000001BD1D320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 00000002.00000002.1537821476.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.00000179597B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D4DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: exe003.exe, 00000000.00000002.2718797664.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1537821476.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.0000017959591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000002.00000002.1537821476.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.00000179597B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D4DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: powershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 00000008.00000002.1820510603.000001BD258B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.coG
            Source: powershell.exe, 00000002.00000002.1537821476.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.0000017959591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 00000002.00000002.1552703985.000001A610070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1644558408.0000017969600000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1798500948.000001BD1D320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

            Operating System Destruction

            barindex
            Protects its processes via BreakOnTermination flag
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: 01 00 00 00 Jump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: exe003.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.exe003.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\exe003.exeCode function: 0_2_00007FFB4ADD83460_2_00007FFB4ADD8346
            Source: C:\Users\user\Desktop\exe003.exeCode function: 0_2_00007FFB4ADD12E80_2_00007FFB4ADD12E8
            Source: C:\Users\user\Desktop\exe003.exeCode function: 0_2_00007FFB4ADD90F20_2_00007FFB4ADD90F2
            Source: C:\Users\user\Desktop\exe003.exeCode function: 0_2_00007FFB4ADD16890_2_00007FFB4ADD1689
            Source: C:\Users\user\Desktop\exe003.exeCode function: 0_2_00007FFB4ADD16C90_2_00007FFB4ADD16C9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4AE930E92_2_00007FFB4AE930E9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AEA2E115_2_00007FFB4AEA2E11
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFB4AEC30E910_2_00007FFB4AEC30E9
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 16_2_00007FFB4ADE168916_2_00007FFB4ADE1689
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 16_2_00007FFB4ADE16C916_2_00007FFB4ADE16C9
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 17_2_00007FFB4ADD168917_2_00007FFB4ADD1689
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 17_2_00007FFB4ADD16C917_2_00007FFB4ADD16C9
            Source: exe003.exe, 00000000.00000002.2751534650.000000001B260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerS vs exe003.exe
            Source: exe003.exe, 00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesvchost.exe4 vs exe003.exe
            Source: exe003.exeBinary or memory string: OriginalFilenamesvchost.exe4 vs exe003.exe
            Source: exe003.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: exe003.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.exe003.exe.130000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: exe003.exe, 9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.csCryptographic APIs: 'TransformFinalBlock'
            Source: exe003.exe, 9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.csCryptographic APIs: 'TransformFinalBlock'
            Source: exe003.exe, glQrsL5LzHB4eZfXS0GmqRJ9G5JINsRVqg9NBtJrRE4tJdTJ7oMraRe3x8jw.csCryptographic APIs: 'TransformFinalBlock'
            Source: svchost.exe.0.dr, 9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.csCryptographic APIs: 'TransformFinalBlock'
            Source: svchost.exe.0.dr, 9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.csCryptographic APIs: 'TransformFinalBlock'
            Source: svchost.exe.0.dr, glQrsL5LzHB4eZfXS0GmqRJ9G5JINsRVqg9NBtJrRE4tJdTJ7oMraRe3x8jw.csCryptographic APIs: 'TransformFinalBlock'
            Source: exe003.exe, jjg32eNIZr2k76kr7qEKWzw85cu.csBase64 encoded string: 'LBcvFggi1tW8fMujZQwJRgMAEgOBrlJIQT0rt7qjG0vt7xpzREoLb1Wht64J'
            Source: exe003.exe, xzvaK6w61wJHEZ7CkuunYrWGYkA.csBase64 encoded string: 'QBds2Y6M8DC1fXlD65N2XYEokQt9HlFOPbWu2yGo1jVoQiVkzRU632iCLLJr'
            Source: exe003.exe, 8wIqr9u9FnxRPYZrqNqSdsyHwzH.csBase64 encoded string: 'Z0dDr5jJ8tq0r9sCAyhlz3qSoGes7KU1IlrNoQ3YUNaEFNwJUOqwuPxcwn7c', 'K0YbeQT8B6nXp7yPnNPIHD1dlJV5FxExteSDS2VcZg0533QNnEmqqVNn90WZ', 'jTTfqLnwEURHu5Pf5qKPtqi7kmEhlyNhNEJnVO86Z9cGABZVC2g09xfN5lyy', 'wv62cqluFjRsBBLahg5OWv0HcRdnwi4237BwGSub8YzjPsIfb5L2GmxxhmZM'
            Source: svchost.exe.0.dr, jjg32eNIZr2k76kr7qEKWzw85cu.csBase64 encoded string: 'LBcvFggi1tW8fMujZQwJRgMAEgOBrlJIQT0rt7qjG0vt7xpzREoLb1Wht64J'
            Source: svchost.exe.0.dr, xzvaK6w61wJHEZ7CkuunYrWGYkA.csBase64 encoded string: 'QBds2Y6M8DC1fXlD65N2XYEokQt9HlFOPbWu2yGo1jVoQiVkzRU632iCLLJr'
            Source: svchost.exe.0.dr, 8wIqr9u9FnxRPYZrqNqSdsyHwzH.csBase64 encoded string: 'Z0dDr5jJ8tq0r9sCAyhlz3qSoGes7KU1IlrNoQ3YUNaEFNwJUOqwuPxcwn7c', 'K0YbeQT8B6nXp7yPnNPIHD1dlJV5FxExteSDS2VcZg0533QNnEmqqVNn90WZ', 'jTTfqLnwEURHu5Pf5qKPtqi7kmEhlyNhNEJnVO86Z9cGABZVC2g09xfN5lyy', 'wv62cqluFjRsBBLahg5OWv0HcRdnwi4237BwGSub8YzjPsIfb5L2GmxxhmZM'
            Source: exe003.exe, WmbaD8MBPmUYa5vH5Tqiwmy1Eys.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: exe003.exe, WmbaD8MBPmUYa5vH5Tqiwmy1Eys.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: svchost.exe.0.dr, WmbaD8MBPmUYa5vH5Tqiwmy1Eys.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: svchost.exe.0.dr, WmbaD8MBPmUYa5vH5Tqiwmy1Eys.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@15/21@1/1
            Source: C:\Users\user\Desktop\exe003.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5296:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:356:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3136:120:WilError_03
            Source: C:\Users\user\Desktop\exe003.exeMutant created: \Sessions\1\BaseNamedObjects\FC0u91eNNKzllxdR
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
            Source: C:\Users\user\Desktop\exe003.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to behavior
            Source: exe003.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: exe003.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\exe003.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: exe003.exeReversingLabs: Detection: 81%
            Source: C:\Users\user\Desktop\exe003.exeFile read: C:\Users\user\Desktop\exe003.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\exe003.exe "C:\Users\user\Desktop\exe003.exe"
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'exe003.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'exe003.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\exe003.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: svchost.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\svchost.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: exe003.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: exe003.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: exe003.exe, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{jjg32eNIZr2k76kr7qEKWzw85cu.D84zd38dFarJRKyDiylGJJf37j0,jjg32eNIZr2k76kr7qEKWzw85cu.bkjcVH2NK6rO9zkRhNdqwg4MgJX,jjg32eNIZr2k76kr7qEKWzw85cu.TnX76V6xzl7bCMQ1hmNCJtokfyA,jjg32eNIZr2k76kr7qEKWzw85cu._78Yfp1K2gnvkRIYf7tYdyLxAZNZ,_9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.xDIxpkYo1puf23V3vqgElCzYZOu2COIJfJjFYpIO1tarfxKmR1rw7RnFWBNZ()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: exe003.exe, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xS78KU4QpTPrI0b6A8Img6PC4VC[2],_9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.leRPwB8t87ybR74A3PRNrGTi0hZcNbMJCX4ZocZBHRMZPmndZvam18Nov8Eg(Convert.FromBase64String(xS78KU4QpTPrI0b6A8Img6PC4VC[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: svchost.exe.0.dr, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{jjg32eNIZr2k76kr7qEKWzw85cu.D84zd38dFarJRKyDiylGJJf37j0,jjg32eNIZr2k76kr7qEKWzw85cu.bkjcVH2NK6rO9zkRhNdqwg4MgJX,jjg32eNIZr2k76kr7qEKWzw85cu.TnX76V6xzl7bCMQ1hmNCJtokfyA,jjg32eNIZr2k76kr7qEKWzw85cu._78Yfp1K2gnvkRIYf7tYdyLxAZNZ,_9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.xDIxpkYo1puf23V3vqgElCzYZOu2COIJfJjFYpIO1tarfxKmR1rw7RnFWBNZ()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: svchost.exe.0.dr, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{xS78KU4QpTPrI0b6A8Img6PC4VC[2],_9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.leRPwB8t87ybR74A3PRNrGTi0hZcNbMJCX4ZocZBHRMZPmndZvam18Nov8Eg(Convert.FromBase64String(xS78KU4QpTPrI0b6A8Img6PC4VC[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: exe003.exe, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: Op62tNzyU21d6GZZsGucw630U5V System.AppDomain.Load(byte[])
            Source: exe003.exe, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: nf6I8RTWwO9xJYmrsOFOCJXrk1H System.AppDomain.Load(byte[])
            Source: exe003.exe, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: nf6I8RTWwO9xJYmrsOFOCJXrk1H
            Source: svchost.exe.0.dr, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: Op62tNzyU21d6GZZsGucw630U5V System.AppDomain.Load(byte[])
            Source: svchost.exe.0.dr, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: nf6I8RTWwO9xJYmrsOFOCJXrk1H System.AppDomain.Load(byte[])
            Source: svchost.exe.0.dr, 4vDdsMsQMy4tE1sov2oKjgmiPvC.cs.Net Code: nf6I8RTWwO9xJYmrsOFOCJXrk1H
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFB4ACAD2A5 pushad ; iretd 2_2_00007FFB4ACAD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4ACBF482 pushad ; retf 5_2_00007FFB4ACBF484
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4ACBD2A5 pushad ; iretd 5_2_00007FFB4ACBD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AEA42F8 pushad ; retf 5_2_00007FFB4AEA42F9
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_00007FFB4AEAA079 push edi; retf 5_2_00007FFB4AEAA07A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_00007FFB4ACCD2A5 pushad ; iretd 8_2_00007FFB4ACCD2A6
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 10_2_00007FFB4ACDD2A5 pushad ; iretd 10_2_00007FFB4ACDD2A6
            Source: exe003.exe, apgF18mVkyVFrIEP6IOfDajWb0Jr086b852iel2rY09kM4hK1BL0fZkXzmqQ.csHigh entropy of concatenated method names: 'aC8beXEiNsmObAScZ5yJ2H4PfJdoC7ohqsquYGv2g75rd2SHB5lTlfbyIAEG', 'F0j6gbhKoStKQfasRKLjMV4eyDnUSYeRGLH28vx72CU1KpD9ySZRPOwRcbyg', 'wiidh6cwA0NQGPYema7ugGhWywejINpdHBDtzfbyt3RWfhGMmfOiAmd1piLg', 'Uq3obLpHuul8wO78oAy5', 'PN1zwZxaPwHMsu0fyzoM', 'YLJ423mUnk1TFYIKtv87', '_3fH3tpJjrJjEEBIlLRmj', '_8GjfsfpKxUWnXLr4lPcs', 'tnsxNLCKYcXQvHo93ZXJ', 'MAwb4XjdWD6LswrNpDhI'
            Source: exe003.exe, jjg32eNIZr2k76kr7qEKWzw85cu.csHigh entropy of concatenated method names: 'vVQJyGDJ9a8FapZBeh2Y7m9I554QJ2elnuQvnGYZeAGXKdZ88us4SoAGa67d', '_5Kpfo9cmpUIsawcemsaexYxTmt4gbVF2tZVsF433bxYVXYK8ENf0Ef50yYDq', 'zcDhiod9DxQVq3sWc2lUW9IddjttCwO6CdzICPo9QrkaZgEAUSJTIV5dJBAg', 'GBd1mfyX4RqrwaQrYT8mtLNhEulbHs17EpVfagZFVgPmyRzNmPzydqHKQTRq'
            Source: exe003.exe, 8wIqr9u9FnxRPYZrqNqSdsyHwzH.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'oM0jLV0ZsoY0w86ucNq3AdHYz4JUhypG1hNVfxLy5x8zApXiYLWrcdO3FjHC', 'tqirLNGv2wVuBvFJJNTiHgumdbbYPrZr7VDURnasiIDqNND3nHJ0Nf4VmY7R', 'leaRo7X7bJsl3d5fHhKv2YzpGFRzQcvR7lVLUoVI7gO6ulNBCKWtpqbdx9CR', 'vzabg9J1e0rkexSF7YVRJ97VXNuIxCqUlkNmMvBxHOPZru1VfcY6Kv5CzfoK'
            Source: exe003.exe, aMz6mEgcrzH0bvznyNvdUNTW3iy.csHigh entropy of concatenated method names: 'My6xROiKyC2ioSynorHIPXw3opA', '_48fcERRNss6NLYlF53LG4NTimfMxhRTZeDWffPH9WjewN', '_4RetcPcgT8EC1gl2Y4c3oLUgXkagpDdUSV1PvY3dIZf9X', 'IkPwAEHUKikVy9RFDFFoC6QR8EoQqaY4juY1xxE1FEh4a', 'rCGw0jA3NZP5oFExbIsOkwJaI7Nv0ZCYqnAuNZgh0Fch3'
            Source: exe003.exe, QCW6IQz44KRJVWHK9BeDSxILasb.csHigh entropy of concatenated method names: 'OkdzzOYH8R6kPI2gt8VpjtfBZsY', 'Peb2mJRgbjIL8W9YMzN5LGgxVUh', 'uHt38R5YAVeBLmhWjTiw4YgQQMj', '_62MiYo6rkau2PQDAq3KDUPqQpOl', 'JqqbFP5Ywk8m0rc2QJLQBKg23Mh', 'qZYRO7qjBkG831VPtJKiTB2HlS6cw5rqFwykMjPBfklzM', 'QaXDBe1KeYUhgTa3q03oPmbSwTJgVUcR4Bamwnu7zKWp3', '_6tkQh6uP4kCUpQKFWoFN8fvNyyqaq4ojh7TEjOZx8i0rv', 'CyexrULAXxVT2g3UFd2uM3i3gsw7EuLcZ3RtxHDSx02Uu', '_765s4bGTN1gWiddBmevHgrJiHHBwCDu0IkwN2mpCMMdhp'
            Source: exe003.exe, WmbaD8MBPmUYa5vH5Tqiwmy1Eys.csHigh entropy of concatenated method names: 'XrtSpfvQSdj6uxMnVMvOWH0XSa9', 'PaoeUnQmDAO4H5603Xj30qBman6', 'WIZErKcdDNyKihXQ2SLrKDlB7ij', 'NLje9Yn6zN7oauP9jsTxYkWqHCv', 'iQIE6mWeZGiGcFBX2iPZB2BJQRf', 'yftd0s8ra331zh7sC35l6A6jYU4', 'cl8AQq0CkKV1b19KiQqhzfa7Yqu', 'yoaxfQjoRFBxotSOp5HP67YkxHb', 'VQDtZkzZMiO8eWR411rhlEvRk9F', 'a9C5Di7Hs6FFmqdy3Hg54ICODFg'
            Source: exe003.exe, 4vDdsMsQMy4tE1sov2oKjgmiPvC.csHigh entropy of concatenated method names: 'WXR2mxIXFVblsKsVoxcmVx6DeY7', 'Op62tNzyU21d6GZZsGucw630U5V', 'e128DIhtpDqSN793gWQz9xl1oJw', 'tzxfB5k19GIz0v3avy1Hijylp2f', 'pOICNx4aQ8rVs4T6L9CHx5vjBgK', '_8JjMsgkAKWckea09Sl0DPMrbV72', 'vRfm3zRaeoZ7vIiYhFr4OppvFAO', 'z17aLASNUCZ78308tm1okUumcx3', '_8ZlCkP42d2dFwXcvvTRN8VyY9UR', 'A7XfwUGJKaxyCEIYNFYjtpjOidy'
            Source: exe003.exe, 9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.csHigh entropy of concatenated method names: 'eS1Jy5wOhwjMsMKtCl7CMJZz2aHRli0BU1SgAA4UNOnZbrCYthJf6JzSvRgi', 'aBhNtAGkudSUJq41jBgttH0JwnSDcDSrZUVVFPRjTN7i2Pls0zjZv75d9Jhc', 'fBROse0E9OFgyEEVQBih0SFMMlcOp7PASjbczVQdTajlmnitQh97hnSfmLPQ', 'OzjiWw6fJR64g4i9WBOHw27erXB4EpzxOJkVJN4tpaiSKTOiNblw1LArZtdP', 'D7XXPcMGunAISqvpvBtOVHVSFezKtgFZyt6ZCQRbBRCh6Vg5XCfnUctiHTpd', 'N1VWikhAs0iNl2HLzSj4uSZNIimwCXPQWlThxtHROgkE1X0VzUqsx1TyNQ8b', 'UeV9aQQOgqi469cPNGvZcnXnd77CmYfsCnYBkQQgYeTlgGfDLbXA41QhutaN', 'ZGwBaxyjBgtXQPr6AkCpXfIhkeUVhDDlkSTSZkb0XP4MLRH3dNIP4xkBwS5x', 'DogBR2Xv1r58usQgvxiNEggYqNpJyBdxs3wX7yYEhwKCW5jJ3oJGykiTMHfm', 'FgNUYY2nNLs9EkPMUpeOIaW126oACGwFbw6DOU2AsX0junhZaGpOLeyOenaQ'
            Source: exe003.exe, glQrsL5LzHB4eZfXS0GmqRJ9G5JINsRVqg9NBtJrRE4tJdTJ7oMraRe3x8jw.csHigh entropy of concatenated method names: 'ZGOyYinY1pbCenkah30cCRbkM43t2cdgI2KoqvvJ2mX8DjBlrYY6jW7XXCVy', 'oaWpzWVTBZHYfWSEXeejJxLU22niy15emDDR78znMz35AOUVwzsUQCQXWMN1tJD3Y4a4QaoCuiF9v', '_8xe2wpMOXaTFovPddMmF279cxBVKggetkxzi5MZPSLxArjxa55HIsfyndZAnhIsMzarHlikmoUxKu', 'OYcQ8MOCJjip8TldCnitc5Am7ELkyl52t2TGzVUUQHbPP2G7FwpghEpyabfPj4pqVbFFp5ssh1NcE', 'lrnfm1w6CQe3Ywz8X4KqeqQBWDE5za8MHnpNfCow6gHpQjOvrfMjpvppTmKyx5WCUofjXnxSJa3hz'
            Source: exe003.exe, 5RzaBtFEUUlEIcsy5fUfSXWlmuizi4enK8tySW7mTiNsanPOt75F767mknse.csHigh entropy of concatenated method names: 'MwQXROpQg7s4Vb6xmTRh77qeodQ8N2Ie7u94qXzYGZg6LDBI83L4qL1bw29e', 'McovhfdW82i0S6O0HChaHV8laZ7TMuw89KDAsno5EYjhntYcnPZpCkZ1bUVk', 'DpJjbLltBUPlycwxsBsj1WvZZcZuWRksApf7YgHyLdNoTWFEmxSBB1UoMtFl', 'M1Amuarz10vLGVhGJu19CGYTWDuoDZsuTBWY5Kyr4JHly0fasTXuBBVognEV', 'YyWYkv6K1xsewU02bdhAKWjRq8GXWnpvmSuHk7dG2SOYtbTW8NpuUnEFKzFrfGbWvE56y6EgEryqm', 'rXwtRXcxL3Kxb04xS1iv9Nl6xxdtcY69gnX83I4YJ6I6UA6Io0xUTkSR1ensYSjn88suyoh8gfIoL', 'Gl1mtG0vzN5ul45OndmZyDWN2DiTgQXYIttMwNxqMBSnng4ruvmD2AG9niSbR0MeTMeNuAi3N1Zbe', 'BdNhg8KHNTvgHJF1Rf1HwDJ9IRz3uPRwoRVsgOB2VhW4MEIbqY0smwdwz6ybtfkSzyFC1imueJUYS', 'GkU23jAdq85YbgPpuWRJ5dfS7zezb8xeYZOzQGniWy3AtDgDgQGyIjmu66muvknJqOa83GoBBR5If', 'gYddCiAuZl9evqwz31NS1tMO3jifGlGsXn56qMbr9KKc3vzOh9FFUoj1b6nT7FAcXO5KuIQtO95E6'
            Source: exe003.exe, bgIE5WEHqz5UoFQoOJwRdRcRmg4.csHigh entropy of concatenated method names: 'hPzL3DtGKrIsFIbb5acG5UM0ly1', 'cNsUFIeGK1zcFVHlvzabp9FHTkH', 'T1u12vDK5nJc0aSO9B6doIfO5vo', 'yV1CRwZltf79MzXvdK3RELCRI6V', 'z3DnisQBOSexlFdUITEUBoiQYiV', 'Fg7k2o9WzamOh0MiwdwA59dRjbc', 'zD229aBYTMvrhYmuDMjGnxJ20TP', '_8sgcimTd114wqKSmDeqkv8I60iq', 'CDX9Tc1cgunix3fqGNOAWBjz5Su', 'TRq7RwDrqDsFhQPDlKXeQhOAtY7'
            Source: svchost.exe.0.dr, apgF18mVkyVFrIEP6IOfDajWb0Jr086b852iel2rY09kM4hK1BL0fZkXzmqQ.csHigh entropy of concatenated method names: 'aC8beXEiNsmObAScZ5yJ2H4PfJdoC7ohqsquYGv2g75rd2SHB5lTlfbyIAEG', 'F0j6gbhKoStKQfasRKLjMV4eyDnUSYeRGLH28vx72CU1KpD9ySZRPOwRcbyg', 'wiidh6cwA0NQGPYema7ugGhWywejINpdHBDtzfbyt3RWfhGMmfOiAmd1piLg', 'Uq3obLpHuul8wO78oAy5', 'PN1zwZxaPwHMsu0fyzoM', 'YLJ423mUnk1TFYIKtv87', '_3fH3tpJjrJjEEBIlLRmj', '_8GjfsfpKxUWnXLr4lPcs', 'tnsxNLCKYcXQvHo93ZXJ', 'MAwb4XjdWD6LswrNpDhI'
            Source: svchost.exe.0.dr, jjg32eNIZr2k76kr7qEKWzw85cu.csHigh entropy of concatenated method names: 'vVQJyGDJ9a8FapZBeh2Y7m9I554QJ2elnuQvnGYZeAGXKdZ88us4SoAGa67d', '_5Kpfo9cmpUIsawcemsaexYxTmt4gbVF2tZVsF433bxYVXYK8ENf0Ef50yYDq', 'zcDhiod9DxQVq3sWc2lUW9IddjttCwO6CdzICPo9QrkaZgEAUSJTIV5dJBAg', 'GBd1mfyX4RqrwaQrYT8mtLNhEulbHs17EpVfagZFVgPmyRzNmPzydqHKQTRq'
            Source: svchost.exe.0.dr, 8wIqr9u9FnxRPYZrqNqSdsyHwzH.csHigh entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'oM0jLV0ZsoY0w86ucNq3AdHYz4JUhypG1hNVfxLy5x8zApXiYLWrcdO3FjHC', 'tqirLNGv2wVuBvFJJNTiHgumdbbYPrZr7VDURnasiIDqNND3nHJ0Nf4VmY7R', 'leaRo7X7bJsl3d5fHhKv2YzpGFRzQcvR7lVLUoVI7gO6ulNBCKWtpqbdx9CR', 'vzabg9J1e0rkexSF7YVRJ97VXNuIxCqUlkNmMvBxHOPZru1VfcY6Kv5CzfoK'
            Source: svchost.exe.0.dr, aMz6mEgcrzH0bvznyNvdUNTW3iy.csHigh entropy of concatenated method names: 'My6xROiKyC2ioSynorHIPXw3opA', '_48fcERRNss6NLYlF53LG4NTimfMxhRTZeDWffPH9WjewN', '_4RetcPcgT8EC1gl2Y4c3oLUgXkagpDdUSV1PvY3dIZf9X', 'IkPwAEHUKikVy9RFDFFoC6QR8EoQqaY4juY1xxE1FEh4a', 'rCGw0jA3NZP5oFExbIsOkwJaI7Nv0ZCYqnAuNZgh0Fch3'
            Source: svchost.exe.0.dr, QCW6IQz44KRJVWHK9BeDSxILasb.csHigh entropy of concatenated method names: 'OkdzzOYH8R6kPI2gt8VpjtfBZsY', 'Peb2mJRgbjIL8W9YMzN5LGgxVUh', 'uHt38R5YAVeBLmhWjTiw4YgQQMj', '_62MiYo6rkau2PQDAq3KDUPqQpOl', 'JqqbFP5Ywk8m0rc2QJLQBKg23Mh', 'qZYRO7qjBkG831VPtJKiTB2HlS6cw5rqFwykMjPBfklzM', 'QaXDBe1KeYUhgTa3q03oPmbSwTJgVUcR4Bamwnu7zKWp3', '_6tkQh6uP4kCUpQKFWoFN8fvNyyqaq4ojh7TEjOZx8i0rv', 'CyexrULAXxVT2g3UFd2uM3i3gsw7EuLcZ3RtxHDSx02Uu', '_765s4bGTN1gWiddBmevHgrJiHHBwCDu0IkwN2mpCMMdhp'
            Source: svchost.exe.0.dr, WmbaD8MBPmUYa5vH5Tqiwmy1Eys.csHigh entropy of concatenated method names: 'XrtSpfvQSdj6uxMnVMvOWH0XSa9', 'PaoeUnQmDAO4H5603Xj30qBman6', 'WIZErKcdDNyKihXQ2SLrKDlB7ij', 'NLje9Yn6zN7oauP9jsTxYkWqHCv', 'iQIE6mWeZGiGcFBX2iPZB2BJQRf', 'yftd0s8ra331zh7sC35l6A6jYU4', 'cl8AQq0CkKV1b19KiQqhzfa7Yqu', 'yoaxfQjoRFBxotSOp5HP67YkxHb', 'VQDtZkzZMiO8eWR411rhlEvRk9F', 'a9C5Di7Hs6FFmqdy3Hg54ICODFg'
            Source: svchost.exe.0.dr, 4vDdsMsQMy4tE1sov2oKjgmiPvC.csHigh entropy of concatenated method names: 'WXR2mxIXFVblsKsVoxcmVx6DeY7', 'Op62tNzyU21d6GZZsGucw630U5V', 'e128DIhtpDqSN793gWQz9xl1oJw', 'tzxfB5k19GIz0v3avy1Hijylp2f', 'pOICNx4aQ8rVs4T6L9CHx5vjBgK', '_8JjMsgkAKWckea09Sl0DPMrbV72', 'vRfm3zRaeoZ7vIiYhFr4OppvFAO', 'z17aLASNUCZ78308tm1okUumcx3', '_8ZlCkP42d2dFwXcvvTRN8VyY9UR', 'A7XfwUGJKaxyCEIYNFYjtpjOidy'
            Source: svchost.exe.0.dr, 9Pe1kLPKHDWweMx56dDnw0tHvqeNfqzo1j2PskUwCFZNfkdECEKon7L5uj7C.csHigh entropy of concatenated method names: 'eS1Jy5wOhwjMsMKtCl7CMJZz2aHRli0BU1SgAA4UNOnZbrCYthJf6JzSvRgi', 'aBhNtAGkudSUJq41jBgttH0JwnSDcDSrZUVVFPRjTN7i2Pls0zjZv75d9Jhc', 'fBROse0E9OFgyEEVQBih0SFMMlcOp7PASjbczVQdTajlmnitQh97hnSfmLPQ', 'OzjiWw6fJR64g4i9WBOHw27erXB4EpzxOJkVJN4tpaiSKTOiNblw1LArZtdP', 'D7XXPcMGunAISqvpvBtOVHVSFezKtgFZyt6ZCQRbBRCh6Vg5XCfnUctiHTpd', 'N1VWikhAs0iNl2HLzSj4uSZNIimwCXPQWlThxtHROgkE1X0VzUqsx1TyNQ8b', 'UeV9aQQOgqi469cPNGvZcnXnd77CmYfsCnYBkQQgYeTlgGfDLbXA41QhutaN', 'ZGwBaxyjBgtXQPr6AkCpXfIhkeUVhDDlkSTSZkb0XP4MLRH3dNIP4xkBwS5x', 'DogBR2Xv1r58usQgvxiNEggYqNpJyBdxs3wX7yYEhwKCW5jJ3oJGykiTMHfm', 'FgNUYY2nNLs9EkPMUpeOIaW126oACGwFbw6DOU2AsX0junhZaGpOLeyOenaQ'
            Source: svchost.exe.0.dr, glQrsL5LzHB4eZfXS0GmqRJ9G5JINsRVqg9NBtJrRE4tJdTJ7oMraRe3x8jw.csHigh entropy of concatenated method names: 'ZGOyYinY1pbCenkah30cCRbkM43t2cdgI2KoqvvJ2mX8DjBlrYY6jW7XXCVy', 'oaWpzWVTBZHYfWSEXeejJxLU22niy15emDDR78znMz35AOUVwzsUQCQXWMN1tJD3Y4a4QaoCuiF9v', '_8xe2wpMOXaTFovPddMmF279cxBVKggetkxzi5MZPSLxArjxa55HIsfyndZAnhIsMzarHlikmoUxKu', 'OYcQ8MOCJjip8TldCnitc5Am7ELkyl52t2TGzVUUQHbPP2G7FwpghEpyabfPj4pqVbFFp5ssh1NcE', 'lrnfm1w6CQe3Ywz8X4KqeqQBWDE5za8MHnpNfCow6gHpQjOvrfMjpvppTmKyx5WCUofjXnxSJa3hz'
            Source: svchost.exe.0.dr, 5RzaBtFEUUlEIcsy5fUfSXWlmuizi4enK8tySW7mTiNsanPOt75F767mknse.csHigh entropy of concatenated method names: 'MwQXROpQg7s4Vb6xmTRh77qeodQ8N2Ie7u94qXzYGZg6LDBI83L4qL1bw29e', 'McovhfdW82i0S6O0HChaHV8laZ7TMuw89KDAsno5EYjhntYcnPZpCkZ1bUVk', 'DpJjbLltBUPlycwxsBsj1WvZZcZuWRksApf7YgHyLdNoTWFEmxSBB1UoMtFl', 'M1Amuarz10vLGVhGJu19CGYTWDuoDZsuTBWY5Kyr4JHly0fasTXuBBVognEV', 'YyWYkv6K1xsewU02bdhAKWjRq8GXWnpvmSuHk7dG2SOYtbTW8NpuUnEFKzFrfGbWvE56y6EgEryqm', 'rXwtRXcxL3Kxb04xS1iv9Nl6xxdtcY69gnX83I4YJ6I6UA6Io0xUTkSR1ensYSjn88suyoh8gfIoL', 'Gl1mtG0vzN5ul45OndmZyDWN2DiTgQXYIttMwNxqMBSnng4ruvmD2AG9niSbR0MeTMeNuAi3N1Zbe', 'BdNhg8KHNTvgHJF1Rf1HwDJ9IRz3uPRwoRVsgOB2VhW4MEIbqY0smwdwz6ybtfkSzyFC1imueJUYS', 'GkU23jAdq85YbgPpuWRJ5dfS7zezb8xeYZOzQGniWy3AtDgDgQGyIjmu66muvknJqOa83GoBBR5If', 'gYddCiAuZl9evqwz31NS1tMO3jifGlGsXn56qMbr9KKc3vzOh9FFUoj1b6nT7FAcXO5KuIQtO95E6'
            Source: svchost.exe.0.dr, bgIE5WEHqz5UoFQoOJwRdRcRmg4.csHigh entropy of concatenated method names: 'hPzL3DtGKrIsFIbb5acG5UM0ly1', 'cNsUFIeGK1zcFVHlvzabp9FHTkH', 'T1u12vDK5nJc0aSO9B6doIfO5vo', 'yV1CRwZltf79MzXvdK3RELCRI6V', 'z3DnisQBOSexlFdUITEUBoiQYiV', 'Fg7k2o9WzamOh0MiwdwA59dRjbc', 'zD229aBYTMvrhYmuDMjGnxJ20TP', '_8sgcimTd114wqKSmDeqkv8I60iq', 'CDX9Tc1cgunix3fqGNOAWBjz5Su', 'TRq7RwDrqDsFhQPDlKXeQhOAtY7'

            Persistence and Installation Behavior

            barindex
            Drops PE files with benign system names
            Source: C:\Users\user\Desktop\exe003.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
            Source: C:\Users\user\Desktop\exe003.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
            Source: C:\Users\user\Desktop\exe003.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnkJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchostJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\exe003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\exe003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\exe003.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\exe003.exeMemory allocated: A80000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeMemory allocated: 1A4C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 33C0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1B3C0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 9E0000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 1A9A0000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\exe003.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\exe003.exeWindow / User API: threadDelayed 3239Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeWindow / User API: threadDelayed 6517Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4100Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5723Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8058Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1564Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6406Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3244Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6819Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2750Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exe TID: 3148Thread sleep time: -18446744073709540s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796Thread sleep time: -8301034833169293s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2648Thread sleep count: 8058 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5876Thread sleep count: 1564 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5064Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4352Thread sleep count: 6406 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4932Thread sleep count: 3244 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1660Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 3396Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 5988Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\Desktop\exe003.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\exe003.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477
            Source: exe003.exe, 00000000.00000002.2751534650.000000001B260000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW %SystemRoot%\system32\mswsock.dllth="7"
            Source: C:\Users\user\Desktop\exe003.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe'
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe'
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe'Jump to behavior
            Bypasses PowerShell execution policy
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe'
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'exe003.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'Jump to behavior
            Source: C:\Users\user\Desktop\exe003.exeQueries volume information: C:\Users\user\Desktop\exe003.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\exe003.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformation
            Source: C:\Users\user\Desktop\exe003.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: exe003.exe, 00000000.00000002.2751534650.000000001B260000.00000004.00000020.00020000.00000000.sdmp, exe003.exe, 00000000.00000002.2751534650.000000001B2FD000.00000004.00000020.00020000.00000000.sdmp, exe003.exe, 00000000.00000002.2751534650.000000001B33D000.00000004.00000020.00020000.00000000.sdmp, exe003.exe, 00000000.00000002.2712752666.000000000065B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\exe003.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\exe003.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\exe003.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: exe003.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.exe003.exe.130000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: exe003.exe PID: 4132, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: exe003.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.exe003.exe.130000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: exe003.exe PID: 4132, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\svchost.exe, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		21
            Registry Run Keys / Startup Folder            		11
            Process Injection            		11
            Masquerading            		OS Credential Dumping221
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            PowerShell            		1
            DLL Side-Loading            		21
            Registry Run Keys / Startup Folder            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		131
            Virtualization/Sandbox Evasion            		Security Account Manager131
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture11
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560741 Sample: exe003.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 36 22.ip.gl.ply.gg 2->36 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 15 other signatures 2->48 8 exe003.exe 1 6 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 38 22.ip.gl.ply.gg 147.185.221.22, 37805, 49712, 49734 SALSGIVERUS United States 8->38 34 C:\Users\user\AppData\Local\...\svchost.exe, PE32 8->34 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 Protects its processes via BreakOnTermination flag 8->52 54 Bypasses PowerShell execution policy 8->54 62 2 other signatures 8->62 17 powershell.exe 23 8->17         started        20 powershell.exe 23 8->20         started        22 powershell.exe 23 8->22         started        24 powershell.exe 20 8->24         started        56 Antivirus detection for dropped file 13->56 58 Multi AV Scanner detection for dropped file 13->58 60 Machine Learning detection for dropped file 13->60 file6 signatures7 process8 signatures9 40 Loading BitLocker PowerShell Module 17->40 26 conhost.exe 17->26         started        28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            exe003.exe82%ReversingLabsByteCode-MSIL.Ransomware.CryptConsole
            exe003.exe100%AviraTR/Spy.Gen
            exe003.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraTR/Spy.Gen
            C:\Users\user\AppData\Local\Temp\svchost.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\svchost.exe82%ReversingLabsByteCode-MSIL.Ransomware.CryptConsole

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.m200%Avira URL Cloudsafe
            http://www.microsoft.coG0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            22.ip.gl.ply.gg
            		147.185.221.22
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              22.ip.gl.ply.ggfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1552703985.000001A610070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1644558408.0000017969600000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1798500948.000001BD1D320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.m20powershell.exe, 00000002.00000002.1562126879.000001A66D58C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.microsoft.coGpowershell.exe, 00000008.00000002.1820510603.000001BD258B6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.1537821476.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.00000179597B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D4DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.1537821476.000001A600229000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.00000179597B8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D4DB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://contoso.com/powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1552703985.000001A610070000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1644558408.0000017969600000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1798500948.000001BD1D320000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://contoso.com/Licensepowershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.micpowershell.exe, 0000000A.00000002.2028287088.0000019B6E4B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://contoso.com/Iconpowershell.exe, 0000000A.00000002.1983231766.0000019B1006F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://aka.ms/pscore68powershell.exe, 00000002.00000002.1537821476.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.0000017959591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameexe003.exe, 00000000.00000002.2718797664.00000000024C1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1537821476.000001A600001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1586877790.0000017959591000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.1701665920.000001BD0D2B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.1851967269.0000019B00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 0000000A.00000002.1851967269.0000019B00229000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          147.185.221.22
                                          		22.ip.gl.ply.ggUnited States
                                          		12087SALSGIVERUStrue

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1560741
                                          Start date and time:2024-11-22 09:16:42 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 27s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:19
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:exe003.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@15/21@1/1
                                          EGA Information:
                                          • Successful, ratio: 14.3%
                                          HCA Information:
                                          • Successful, ratio: 98%
                                          • Number of executed functions: 72
                                          • Number of non-executed functions: 7
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Execution Graph export aborted for target powershell.exe, PID 3480 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 4080 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 5628 because it is empty
                                          • Execution Graph export aborted for target powershell.exe, PID 5940 because it is empty
                                          • Execution Graph export aborted for target svchost.exe, PID 4352 because it is empty
                                          • Execution Graph export aborted for target svchost.exe, PID 6924 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: exe003.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          03:17:48API Interceptor56x Sleep call for process: powershell.exe modified
                                          03:18:42API Interceptor65086x Sleep call for process: exe003.exe modified
                                          09:18:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Local\Temp\svchost.exe
                                          09:18:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run svchost C:\Users\user\AppData\Local\Temp\svchost.exe
                                          09:18:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          147.185.221.22OXhiMvksgM.exeGet hashmaliciousXWormBrowse
                                            7bZWBYVNPU.exeGet hashmaliciousXWormBrowse
                                              BWoiYc9WwI.exeGet hashmaliciousXWormBrowse
                                                fjijTlM2tu.exeGet hashmaliciousXWormBrowse
                                                  gPEbJi1xiY.exeGet hashmaliciousXWormBrowse
                                                    dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                                      432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                                        l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                                          Windows Defender.exeGet hashmaliciousXWormBrowse
                                                            e7WMhx18XN.exeGet hashmaliciousSilentXMRMiner, XmrigBrowse

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              22.ip.gl.ply.ggWindows Defender.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              eFvQTTtxej.exeGet hashmaliciousNjratBrowse
                                                              • 147.185.221.22
                                                              wB5Gc9RKzG.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              TRXLoader.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              Bootstrapper.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              aimbot.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              XClient.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              Ozj6OxEatlic.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              Neverlose.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              Solara.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              SALSGIVERUSyF21ypxRB7.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.23
                                                              OXhiMvksgM.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.22
                                                              9GlCWW6bXc.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.23
                                                              fiPZoO6xvJ.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.23
                                                              EternalPredictor.exeGet hashmaliciousBlank Grabber, Skuld Stealer, XWormBrowse
                                                              • 147.185.221.23
                                                              eternal.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.23
                                                              svchost.exeGet hashmaliciousUnknownBrowse
                                                              • 147.185.221.23
                                                              msedge_visual_render.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.23
                                                              exe030.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.23
                                                              pQm8Ci3Dov.exeGet hashmaliciousXWormBrowse
                                                              • 147.185.221.23

                                                              JA3 Fingerprints

                                                              No context

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                              File Type:CSV text
                                                              Category:dropped
                                                              Size (bytes):654
                                                              Entropy (8bit):5.380476433908377
                                                              Encrypted:false
                                                              SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                              MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                              SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                              SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                              SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                              Malicious:false
                                                              Reputation:moderate, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):64
                                                              Entropy (8bit):0.34726597513537405
                                                              Encrypted:false
                                                              SSDEEP:3:Nlll:Nll
                                                              MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                              SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                              SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                              SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                              Malicious:false
                                                              Preview:@...e...........................................................

                                                              C:\Users\user\AppData\Local\Temp\Log.tmp

                                                              Download File
                                                              Process:C:\Users\user\Desktop\exe003.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):35
                                                              Entropy (8bit):3.7071562309216133
                                                              Encrypted:false
                                                              SSDEEP:3:rRSFYJKXzovNsr4rn:EFYJKDoWrcn
                                                              MD5:BFABEC865892A34F532FABF984F7E156
                                                              SHA1:3C8292E49FEFD3DA96DBC289B36C4C710B0127E3
                                                              SHA-256:8C8E36E0088165B6606F75DF86D53D3527FD36518C5AAB07425969B066FEEEC6
                                                              SHA-512:CA042E157B8C0E728991567016DF2036D8E6E4311CC74E7DB8AB6335AC20C02BD8099F3248E82B8DB5C26A7C6B687D1D7A440EC77D55B3BAE42D3753DBD63129
                                                              Malicious:false
                                                              Preview:....### explorer ###..[WIN]r[WIN]r

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0n2tvqww.iga.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_43bbgrgc.km5.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dgbzchj2.2oj.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dxpli2tc.mlc.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4lwwdrq.xto.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyuyj0ti.1p0.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jfs3nh3k.14v.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_juzsquyl.l2i.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kmtqfpag.xks.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_myl1mvbw.dlf.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pgvopjfv.d54.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ryiyd1qf.hec.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tph5eqzb.aco.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1ggbtgy.hrw.ps1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xbgvda3s.q1q.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zmwf4kpc.jfe.psm1

                                                              Download File
                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):60
                                                              Entropy (8bit):4.038920595031593
                                                              Encrypted:false
                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                              Malicious:false
                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                              C:\Users\user\AppData\Local\Temp\svchost.exe

                                                              Download File
                                                              Process:C:\Users\user\Desktop\exe003.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):74752
                                                              Entropy (8bit):5.94821558304431
                                                              Encrypted:false
                                                              SSDEEP:1536:j7h1eEfP2SP5Ap55v/oI+bI5Nez7BC9z6jFpOObo0:sSP45J/Z+bKNQpOO80
                                                              MD5:4CDCC052CBFA29DACCD43389D7C5AFD2
                                                              SHA1:C3BFFB079F6B5BF2EF63B8E14D199B72B4BE8EE2
                                                              SHA-256:78886DD99890F1D9D9BCF8CD1A89C2BD0BB74D26E3693602CC7D33C3FD6ECBD4
                                                              SHA-512:B580196F4F0CFB16A907C62C30D812E09D3FA664881D306B0337A149A67EDCC3341DE4FD9E316EACF2B33951FF972CF1B4E92CBAED561101532054729CFC1A4D
                                                              Malicious:true
                                                              Yara Hits:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 82%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.<g.............................8... ...@....@.. ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......$^..l.......&.....................................................(....*.r...p*. S...*..(....*.r{..p*. ....*.s.........s.........s.........s.........*.r...p*. ~.H.*.ro..p*. .+.*.r...p*. E/..*.rc..p*. aL8.*.r...p*. ....*..((...*.r%..p*. v...*.r...p*. .g..*"(....+.*&(....&+.*.+5sY... .... .'..oZ...(,...~....-.(G...(9...~....o[...&.-.*.r...p*. ...*.r...p*. .o..*.r...p*. ....*.rC..p*.r...p*. MZ..*.r...p*. 3gb.*..............j..................s\..............*"(I...+.*:

                                                              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

                                                              Download File
                                                              Process:C:\Users\user\Desktop\exe003.exe
                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Nov 22 07:18:42 2024, mtime=Fri Nov 22 07:18:42 2024, atime=Fri Nov 22 07:18:42 2024, length=74752, window=hide
                                                              Category:dropped
                                                              Size (bytes):1053
                                                              Entropy (8bit):4.983777363931644
                                                              Encrypted:false
                                                              SSDEEP:12:8Kfis+4tykChraAARaDvgKEzLTAICPljAnE1HgUNwuLVtJt34t2YZ/elFlSJmkmV:8KfRtXdRsgKdAnEV71tJtNqygm
                                                              MD5:B6C1A0E34A2968A30262178963179459
                                                              SHA1:9D432F4C60EA0AD31E58D0EE961E6B3E4C95EE20
                                                              SHA-256:51533BEBB84C181111A029F7EEF3FC4527CA03FD2ECED709A18B2292AFA7883C
                                                              SHA-512:1042399545BC62965CD8E62CA6AB36D130409904AD8DCC936FF50E4F464A9E472A7CF600D3B00D75500DAFE0670F594F32D7F9EAFF2AF6DCF4997874CE04ABCD
                                                              Malicious:false
                                                              Preview:L..................F.... ....Kv$.<...Kv$.<...Kv$.<...$........................:..DG..Yr?.D..U..k0.&...&.......y.Yd........<.....$.<......t...CFSF..1.....EW)B..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW)BvY4B..........................d...A.p.p.D.a.t.a...B.P.1.....vY2B..Local.<......EW)BvY4B..........................@6.L.o.c.a.l.....N.1.....vYKB..Temp..:......EW)BvYKB.........................m..T.e.m.p.....b.2..$..vYVB .svchost.exe.H......vYVBvYVB..........................D...s.v.c.h.o.s.t...e.x.e.......]...............-.......\...........PTh......C:\Users\user\AppData\Local\Temp\svchost.exe..(.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.s.v.c.h.o.s.t...e.x.e.............:...........|....I.J.H..K..:...`.......X.......648351...........hT..CrF.f4... .[..U.....,...E...hT..CrF.f4... .[..U.....,...E..............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.........9...1SPS..mD

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):5.94821558304431
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                              • Windows Screen Saver (13104/52) 0.07%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              File name:exe003.exe
                                                              File size:74'752 bytes
                                                              MD5:4cdcc052cbfa29daccd43389d7c5afd2
                                                              SHA1:c3bffb079f6b5bf2ef63b8e14d199b72b4be8ee2
                                                              SHA256:78886dd99890f1d9d9bcf8cd1a89c2bd0bb74d26e3693602cc7d33c3fd6ecbd4
                                                              SHA512:b580196f4f0cfb16a907c62c30d812e09d3fa664881d306b0337a149a67edcc3341de4fd9e316eacf2b33951ff972cf1b4e92cbaed561101532054729cfc1a4d
                                                              SSDEEP:1536:j7h1eEfP2SP5Ap55v/oI+bI5Nez7BC9z6jFpOObo0:sSP45J/Z+bKNQpOO80
                                                              TLSH:13738E587BD60525E0FFAFF65EF53256CB39F2231902D29F24C501861B23A88CE516F6
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.<g.............................8... ...@....@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:00928e8e8686b000

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x4138de
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x673C8B4F [Tue Nov 19 12:57:51 2024 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x138900x4b.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4ce.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x118e40x11a008bda2124eff2cc654517e928fa4ef114False0.6009253102836879data6.019660079607456IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x140000x4ce0x600ad84082110ce2b2d315864b5213c3566False0.3736979166666667data3.720241549229852IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x160000xc0x200b9fbeaedf7b810c739cd0d486396bc34False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_VERSION0x140a00x244data0.4724137931034483
                                                              RT_MANIFEST0x142e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 22, 2024 09:18:43.901890993 CET4971237805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:18:44.021420002 CET3780549712147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:18:44.021538019 CET4971237805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:18:44.425573111 CET4971237805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:18:44.545160055 CET3780549712147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:18:56.108819962 CET4971237805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:18:56.228322029 CET3780549712147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:06.171061039 CET3780549712147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:06.171149969 CET4971237805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:09.481677055 CET4971237805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:09.483549118 CET4973437805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:09.601392031 CET3780549712147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:09.603125095 CET3780549734147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:09.603247881 CET4973437805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:09.636714935 CET4973437805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:09.756493092 CET3780549734147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:22.740712881 CET4973437805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:22.860152960 CET3780549734147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:31.506768942 CET3780549734147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:31.506839991 CET4973437805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:31.709083080 CET4973437805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:31.710412979 CET4978537805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:31.828711033 CET3780549734147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:31.829999924 CET3780549785147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:31.833384991 CET4978537805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:31.887006044 CET4978537805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:32.006547928 CET3780549785147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:44.162544012 CET4978537805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:44.282078028 CET3780549785147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:53.506062031 CET4978537805192.168.2.8147.185.221.22
                                                              Nov 22, 2024 09:19:53.625603914 CET3780549785147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:53.724966049 CET3780549785147.185.221.22192.168.2.8
                                                              Nov 22, 2024 09:19:53.725027084 CET4978537805192.168.2.8147.185.221.22

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Nov 22, 2024 09:18:43.555596113 CET5704653192.168.2.81.1.1.1
                                                              Nov 22, 2024 09:18:43.873233080 CET53570461.1.1.1192.168.2.8

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Nov 22, 2024 09:18:43.555596113 CET192.168.2.81.1.1.10xb955Standard query (0)22.ip.gl.ply.ggA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Nov 22, 2024 09:18:43.873233080 CET1.1.1.1192.168.2.80xb955No error (0)22.ip.gl.ply.gg147.185.221.22A (IP address)IN (0x0001)false

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:03:17:42
                                                              Start date:22/11/2024
                                                              Path:C:\Users\user\Desktop\exe003.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\Desktop\exe003.exe"
                                                              Imagebase:0x130000
                                                              File size:74'752 bytes
                                                              MD5 hash:4CDCC052CBFA29DACCD43389D7C5AFD2
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1458749715.0000000000132000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                              Reputation:low
                                                              Has exited:false

                                                              General

                                                              Target ID:2
                                                              Start time:03:17:46
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\exe003.exe'
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:3
                                                              Start time:03:17:46
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:03:17:53
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'exe003.exe'
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:6
                                                              Start time:03:17:53
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:03:18:04
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\svchost.exe'
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:03:18:04
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:03:18:20
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                                                              Imagebase:0x7ff6cb6b0000
                                                              File size:452'608 bytes
                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:03:18:20
                                                              Start date:22/11/2024
                                                              Path:C:\Windows\System32\conhost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                              Imagebase:0x7ff6ee680000
                                                              File size:862'208 bytes
                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:true

                                                              General

                                                              Target ID:16
                                                              Start time:03:18:50
                                                              Start date:22/11/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                              Imagebase:0xff0000
                                                              File size:74'752 bytes
                                                              MD5 hash:4CDCC052CBFA29DACCD43389D7C5AFD2
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: Joe Security
                                                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\svchost.exe, Author: ditekSHen
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 82%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:17
                                                              Start time:03:18:59
                                                              Start date:22/11/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                                                              Imagebase:0x580000
                                                              File size:74'752 bytes
                                                              MD5 hash:4CDCC052CBFA29DACCD43389D7C5AFD2
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:low
                                                              Has exited:true

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:18.5%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:6
                                                                Total number of Limit Nodes:0
                                                                execution_graph 4764 7ffb4add2f18 4765 7ffb4add2f21 RtlSetProcessIsCritical 4764->4765 4767 7ffb4add3032 4765->4767 4768 7ffb4add3dd8 4769 7ffb4add3de1 SetWindowsHookExW 4768->4769 4771 7ffb4add3eb1 4769->4771

                                                                Executed Functions

                                                                Function 00007FFB4ADD12E8 Relevance: 1.8, Strings: 1, Instructions: 586COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 97 7ffb4add12e8-7ffb4add12ef 98 7ffb4add12f1-7ffb4add130a 97->98 100 7ffb4add12a0-7ffb4add12d9 98->100 101 7ffb4add130c-7ffb4add1384 98->101 100->101 116 7ffb4add12db-7ffb4add12e6 100->116 118 7ffb4add13b6-7ffb4addac72 101->118 119 7ffb4add1386-7ffb4add13b5 101->119 116->97 126 7ffb4addac78-7ffb4addac80 118->126 127 7ffb4addb101-7ffb4addb113 call 7ffb4add7d28 118->127 119->118 126->127 128 7ffb4addac86-7ffb4addac92 126->128 131 7ffb4addb118-7ffb4addb123 127->131 132 7ffb4addac94-7ffb4addacb1 128->132 133 7ffb4addace1-7ffb4addace6 128->133 143 7ffb4addacb3-7ffb4addacbd call 7ffb4add7d18 132->143 144 7ffb4addad2b-7ffb4addad30 132->144 134 7ffb4addace8-7ffb4addacfc call 7ffb4add7d18 133->134 135 7ffb4addad02 133->135 134->135 142 7ffb4addacfe-7ffb4addad00 134->142 137 7ffb4addad07-7ffb4addad1d 135->137 146 7ffb4addad25-7ffb4addad27 call 7ffb4add13e0 137->146 142->137 147 7ffb4addacc2-7ffb4addace0 call 7ffb4add7d18 143->147 148 7ffb4addad38-7ffb4addad3a 144->148 146->144 147->133 151 7ffb4addad3c-7ffb4addad47 148->151 152 7ffb4addad5e-7ffb4addad69 148->152 151->152 157 7ffb4addad49-7ffb4addad5c 151->157 156 7ffb4addad71-7ffb4addad7c 152->156 160 7ffb4addadc6-7ffb4addadd5 156->160 161 7ffb4addad7e-7ffb4addad93 156->161 157->156 163 7ffb4addadd7-7ffb4addadfa 160->163 164 7ffb4addae01-7ffb4addae18 163->164 168 7ffb4addae1a-7ffb4addae28 164->168 169 7ffb4addae6d-7ffb4addaeab 164->169 168->169 173 7ffb4addae2a-7ffb4addae68 168->173 178 7ffb4addaeba-7ffb4addaecf 169->178 179 7ffb4addaead-7ffb4addaeb5 169->179 181 7ffb4addb047-7ffb4addb04e 173->181 186 7ffb4addaed1-7ffb4addaed9 178->186 187 7ffb4addaede-7ffb4addaef3 178->187 179->181 182 7ffb4addb050-7ffb4addb07b call 7ffb4add3b10 call 7ffb4add13e8 181->182 193 7ffb4addb080-7ffb4addb08d 182->193 186->181 191 7ffb4addaef5-7ffb4addaefd 187->191 192 7ffb4addaf02-7ffb4addaf17 187->192 191->181 198 7ffb4addaf19-7ffb4addaf21 192->198 199 7ffb4addaf26-7ffb4addaf3b 192->199 196 7ffb4addb0a5-7ffb4addb0f7 call 7ffb4add13e8 193->196 197 7ffb4addb08f-7ffb4addb0a3 193->197 207 7ffb4addb0f8-7ffb4addb0f9 196->207 197->207 198->181 203 7ffb4addaf4a-7ffb4addaf5f 199->203 204 7ffb4addaf3d-7ffb4addaf45 199->204 212 7ffb4addaf61-7ffb4addaf69 203->212 213 7ffb4addaf6e-7ffb4addaf83 203->213 204->181 210 7ffb4addb0fb call 7ffb4addb124 207->210 214 7ffb4addb100 210->214 212->181 217 7ffb4addaf85-7ffb4addaf8d 213->217 218 7ffb4addaf92-7ffb4addafa7 213->218 214->127 217->181 222 7ffb4addafa9-7ffb4addafb1 218->222 223 7ffb4addafb6-7ffb4addafcb 218->223 222->181 226 7ffb4addafd7-7ffb4addafec 223->226 227 7ffb4addafcd-7ffb4addafd5 223->227 229 7ffb4addaff8-7ffb4addb00d 226->229 230 7ffb4addafee-7ffb4addaff6 226->230 227->181 229->181 232 7ffb4addb00f-7ffb4addb033 229->232 230->181 235 7ffb4addb035-7ffb4addb03d 232->235 236 7ffb4addb03f-7ffb4addb040 232->236 235->181 236->181
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2758759658.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4add0000_exe003.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 0N_I
                                                                • API String ID: 0-2571648984
                                                                • Opcode ID: 40bfe11a94358a29c79b2e3b07fd49516836e98fa5f832bd182ebb19723fe0a4
                                                                • Instruction ID: 9e438f9620fe1a140589686b8cf3273306be6b1e39896788fc5886bef75696ed
                                                                • Opcode Fuzzy Hash: 40bfe11a94358a29c79b2e3b07fd49516836e98fa5f832bd182ebb19723fe0a4
                                                                • Instruction Fuzzy Hash: 330246A1B1DA564BE798BF3CC9456B93BD5EF99314F6444F9E449C31C2EE28BC018381
                                                                Function 00007FFB4ADD1689 Relevance: .7, Instructions: 667COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 432 7ffb4add1689-7ffb4add1698 433 7ffb4add169a-7ffb4add16b7 432->433 434 7ffb4add16df-7ffb4add1700 432->434 438 7ffb4add16b9-7ffb4add16c5 433->438 436 7ffb4add1706-7ffb4add1714 call 7ffb4add0558 434->436 437 7ffb4add1d9c-7ffb4add1de3 434->437 442 7ffb4add1719-7ffb4add1835 call 7ffb4add0558 * 7 call 7ffb4add0688 436->442 479 7ffb4add1837 442->479 480 7ffb4add183e call 7ffb4add0490 442->480 479->480 482 7ffb4add1843-7ffb4add18af call 7ffb4add0358 call 7ffb4add0368 480->482 492 7ffb4add18b1-7ffb4add18bb 482->492 493 7ffb4add18c2-7ffb4add18d2 482->493 492->493 496 7ffb4add18fa 493->496 497 7ffb4add18d4-7ffb4add18f3 call 7ffb4add0358 493->497 500 7ffb4add1904-7ffb4add191a 496->500 497->496 503 7ffb4add192b-7ffb4add1955 call 7ffb4add1188 500->503 504 7ffb4add191c-7ffb4add1926 call 7ffb4add0378 500->504 509 7ffb4add195a-7ffb4add196b 503->509 504->503 511 7ffb4add1975-7ffb4add198d call 7ffb4add0388 509->511 513 7ffb4add1992-7ffb4add1996 511->513 514 7ffb4add19a2-7ffb4add19b4 call 7ffb4add0398 513->514 517 7ffb4add19be-7ffb4add19e5 514->517 519 7ffb4add19ec-7ffb4add19f8 517->519 520 7ffb4add1a04-7ffb4add1a34 519->520 525 7ffb4add1a3f-7ffb4add1a67 520->525 526 7ffb4add1a6e-7ffb4add1a76 525->526 527 7ffb4add1a78-7ffb4add1aab 526->527 528 7ffb4add1ac4-7ffb4add1af7 526->528 527->528 535 7ffb4add1aad-7ffb4add1aba 527->535 538 7ffb4add1af9-7ffb4add1b13 528->538 539 7ffb4add1b1c-7ffb4add1b4c 528->539 535->528 540 7ffb4add1abc-7ffb4add1ac2 535->540 542 7ffb4add1b1a 538->542 541 7ffb4add1b54-7ffb4add1b8b 539->541 540->528 548 7ffb4add1bb0-7ffb4add1be0 541->548 549 7ffb4add1b8d-7ffb4add1bae 541->549 542->541 550 7ffb4add1be8-7ffb4add1bfd 548->550 549->550 553 7ffb4add1bff-7ffb4add1c24 550->553 554 7ffb4add1c2b-7ffb4add1c32 553->554 555 7ffb4add1c34-7ffb4add1c49 call 7ffb4add03a8 554->555 557 7ffb4add1c4e-7ffb4add1c54 555->557 558 7ffb4add1c5b-7ffb4add1c5c call 7ffb4add0628 557->558 560 7ffb4add1c61-7ffb4add1cab 558->560 565 7ffb4add1cb2-7ffb4add1cb3 560->565 566 7ffb4add1cba-7ffb4add1cc0 call 7ffb4add0f18 565->566 569 7ffb4add1cc8-7ffb4add1cca 566->569 570 7ffb4add1cd1-7ffb4add1d5f 569->570 571 7ffb4add1ccc call 7ffb4add1108 569->571 571->570
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2758759658.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4add0000_exe003.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed135aa7900c5849d3bd2b977e9272f06920bc0c6958e3359443f0aa9b871089
                                                                • Instruction ID: 6b9790eb399e19fd012f0948c70475c4312110fb26ef30e234ff17c88eab7830
                                                                • Opcode Fuzzy Hash: ed135aa7900c5849d3bd2b977e9272f06920bc0c6958e3359443f0aa9b871089
                                                                • Instruction Fuzzy Hash: B522B2A1B2DA494BE798FF3CC4592797BD6FF98300F5405B9E44EC3296DE28A8418781
                                                                Function 00007FFB4ADD16C9 Relevance: .6, Instructions: 570COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2758759658.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4add0000_exe003.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 307c7b6a15bc080bb59271e57d78f0670926c576321359b86bbf2b433c8dbfa5
                                                                • Instruction ID: 1a8bd4df73e8f2b50bc1546bc1a6b0888b8f82b2a65b292bfea387926332309b
                                                                • Opcode Fuzzy Hash: 307c7b6a15bc080bb59271e57d78f0670926c576321359b86bbf2b433c8dbfa5
                                                                • Instruction Fuzzy Hash: C002B4A1B1DA4A4BE799FF3CD4592797AD2FF98300F5405B9E44EC32D6DE28AC418381
                                                                Function 00007FFB4ADD8346 Relevance: .5, Instructions: 471COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 729 7ffb4add8346-7ffb4add8353 730 7ffb4add8355-7ffb4add835d 729->730 731 7ffb4add835e-7ffb4add8427 729->731 730->731 735 7ffb4add8429-7ffb4add8432 731->735 736 7ffb4add8493 731->736 735->736 738 7ffb4add8434-7ffb4add8440 735->738 737 7ffb4add8495-7ffb4add84ba 736->737 745 7ffb4add8526 737->745 746 7ffb4add84bc-7ffb4add84c5 737->746 739 7ffb4add8479-7ffb4add8491 738->739 740 7ffb4add8442-7ffb4add8454 738->740 739->737 741 7ffb4add8458-7ffb4add846b 740->741 742 7ffb4add8456 740->742 741->741 744 7ffb4add846d-7ffb4add8475 741->744 742->741 744->739 747 7ffb4add8528-7ffb4add85d0 745->747 746->745 748 7ffb4add84c7-7ffb4add84d3 746->748 759 7ffb4add85d2-7ffb4add85dc 747->759 760 7ffb4add863e 747->760 749 7ffb4add84d5-7ffb4add84e7 748->749 750 7ffb4add850c-7ffb4add8524 748->750 752 7ffb4add84e9 749->752 753 7ffb4add84eb-7ffb4add84fe 749->753 750->747 752->753 753->753 755 7ffb4add8500-7ffb4add8508 753->755 755->750 759->760 762 7ffb4add85de-7ffb4add85eb 759->762 761 7ffb4add8640-7ffb4add8669 760->761 768 7ffb4add86d3 761->768 769 7ffb4add866b-7ffb4add8676 761->769 763 7ffb4add8624-7ffb4add863c 762->763 764 7ffb4add85ed-7ffb4add85ff 762->764 763->761 766 7ffb4add8603-7ffb4add8616 764->766 767 7ffb4add8601 764->767 766->766 770 7ffb4add8618-7ffb4add8620 766->770 767->766 772 7ffb4add86d5-7ffb4add8766 768->772 769->768 771 7ffb4add8678-7ffb4add8686 769->771 770->763 773 7ffb4add8688-7ffb4add869a 771->773 774 7ffb4add86bf-7ffb4add86d1 771->774 780 7ffb4add876c-7ffb4add877b 772->780 775 7ffb4add869c 773->775 776 7ffb4add869e-7ffb4add86b1 773->776 774->772 775->776 776->776 778 7ffb4add86b3-7ffb4add86bb 776->778 778->774 781 7ffb4add8783-7ffb4add87e8 call 7ffb4add8804 780->781 782 7ffb4add877d 780->782 789 7ffb4add87ea 781->789 790 7ffb4add87ef-7ffb4add8803 781->790 782->781 789->790
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2758759658.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4add0000_exe003.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd4ba2edcca09b0129c840d3a539ecbe349337134537f38c97bf9e7722378cbe
                                                                • Instruction ID: 55442c17ba4af111353e4bc22313ef94bbb74fc84334dda02ce487998efeac8b
                                                                • Opcode Fuzzy Hash: cd4ba2edcca09b0129c840d3a539ecbe349337134537f38c97bf9e7722378cbe
                                                                • Instruction Fuzzy Hash: 06F19270A0CA8D8FEBA9EF28C8557E977D1FF54310F1442BAE84DC7291DB74A9418B81
                                                                Function 00007FFB4ADD90F2 Relevance: .5, Instructions: 457COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 791 7ffb4add90f2-7ffb4add90ff 792 7ffb4add910a-7ffb4add91d7 791->792 793 7ffb4add9101-7ffb4add9109 791->793 797 7ffb4add91d9-7ffb4add91e2 792->797 798 7ffb4add9243 792->798 793->792 797->798 799 7ffb4add91e4-7ffb4add91f0 797->799 800 7ffb4add9245-7ffb4add926a 798->800 801 7ffb4add9229-7ffb4add9241 799->801 802 7ffb4add91f2-7ffb4add9204 799->802 807 7ffb4add92d6 800->807 808 7ffb4add926c-7ffb4add9275 800->808 801->800 803 7ffb4add9208-7ffb4add921b 802->803 804 7ffb4add9206 802->804 803->803 806 7ffb4add921d-7ffb4add9225 803->806 804->803 806->801 809 7ffb4add92d8-7ffb4add92fd 807->809 808->807 810 7ffb4add9277-7ffb4add9283 808->810 817 7ffb4add92ff-7ffb4add9309 809->817 818 7ffb4add936b 809->818 811 7ffb4add9285-7ffb4add9297 810->811 812 7ffb4add92bc-7ffb4add92d4 810->812 814 7ffb4add9299 811->814 815 7ffb4add929b-7ffb4add92ae 811->815 812->809 814->815 815->815 816 7ffb4add92b0-7ffb4add92b8 815->816 816->812 817->818 819 7ffb4add930b-7ffb4add9318 817->819 820 7ffb4add936d-7ffb4add939b 818->820 821 7ffb4add931a-7ffb4add932c 819->821 822 7ffb4add9351-7ffb4add9369 819->822 826 7ffb4add940b 820->826 827 7ffb4add939d-7ffb4add93a8 820->827 824 7ffb4add9330-7ffb4add9343 821->824 825 7ffb4add932e 821->825 822->820 824->824 828 7ffb4add9345-7ffb4add934d 824->828 825->824 830 7ffb4add940d-7ffb4add94e5 826->830 827->826 829 7ffb4add93aa-7ffb4add93b8 827->829 828->822 831 7ffb4add93ba-7ffb4add93cc 829->831 832 7ffb4add93f1-7ffb4add9409 829->832 840 7ffb4add94eb-7ffb4add94fa 830->840 833 7ffb4add93d0-7ffb4add93e3 831->833 834 7ffb4add93ce 831->834 832->830 833->833 836 7ffb4add93e5-7ffb4add93ed 833->836 834->833 836->832 841 7ffb4add9502-7ffb4add9564 call 7ffb4add9580 840->841 842 7ffb4add94fc 840->842 849 7ffb4add9566 841->849 850 7ffb4add956b-7ffb4add957f 841->850 842->841 849->850
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2758759658.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4add0000_exe003.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b6959d543457548f70a4378c253fa0207b9192bb3b0820e02381315669e0bcd7
                                                                • Instruction ID: 3a0fcac3cb481273d8e2756f7b61e1d9b8f82af5f0a9960a52598e4340218e9a
                                                                • Opcode Fuzzy Hash: b6959d543457548f70a4378c253fa0207b9192bb3b0820e02381315669e0bcd7
                                                                • Instruction Fuzzy Hash: F5E1C270A0CA4E8FEBA8EF28C8557E97BD1FF54310F14426EE80DC7695CE75A8418B81
                                                                Function 00007FFB4ADD2F18 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 237 7ffb4add2f18-7ffb4add2f4a 242 7ffb4add2f77-7ffb4add3030 RtlSetProcessIsCritical 237->242 243 7ffb4add2f4c-7ffb4add2f75 237->243 251 7ffb4add3038-7ffb4add306d 242->251 252 7ffb4add3032 242->252 243->242 252->251
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2758759658.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4add0000_exe003.jbxd
                                                                Similarity
                                                                • API ID: CriticalProcess
                                                                • String ID:
                                                                • API String ID: 2695349919-0
                                                                • Opcode ID: 3c5b2988b53861a02f9d4d5646f67a5c1a2a4f22ed9ff6a0b87851b2cc0c28fc
                                                                • Instruction ID: c496d35bb1c0d30408fc4b7762d63ea536de4312e395cbb0fa1d099e1dba1d8d
                                                                • Opcode Fuzzy Hash: 3c5b2988b53861a02f9d4d5646f67a5c1a2a4f22ed9ff6a0b87851b2cc0c28fc
                                                                • Instruction Fuzzy Hash: C9414A7190C7858FE719EF78D8466E97BE0FF26311F1441BED0C9C7183DA24A4068B91
                                                                Function 00007FFB4ADD3DD8 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 254 7ffb4add3dd8-7ffb4add3ddf 255 7ffb4add3dea-7ffb4add3e5d 254->255 256 7ffb4add3de1-7ffb4add3de9 254->256 260 7ffb4add3ee9-7ffb4add3eed 255->260 261 7ffb4add3e63-7ffb4add3e68 255->261 256->255 262 7ffb4add3e72-7ffb4add3eaf SetWindowsHookExW 260->262 263 7ffb4add3e6f-7ffb4add3e70 261->263 264 7ffb4add3eb7-7ffb4add3ee8 262->264 265 7ffb4add3eb1 262->265 263->262 265->264
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2758759658.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_7ffb4add0000_exe003.jbxd
                                                                Similarity
                                                                • API ID: HookWindows
                                                                • String ID:
                                                                • API String ID: 2559412058-0
                                                                • Opcode ID: e69e0c37113cb27276f679b1a1694724c3400cd38ae43f320473e9ffc2572b60
                                                                • Instruction ID: 5e1c39fed1aae18876e87f58856734bfd90c06e651262af1e3a385cdf844fb86
                                                                • Opcode Fuzzy Hash: e69e0c37113cb27276f679b1a1694724c3400cd38ae43f320473e9ffc2572b60
                                                                • Instruction Fuzzy Hash: B9411671A0CA5D8FDB19EF68D8466F97BE1EB59311F10027EE049C3292CF74A81287C1

                                                                Executed Functions

                                                                Function 00007FFB4AE96669 Relevance: .4, Instructions: 400COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1564063638.00007FFB4AE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4ae90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1452d98877e473410baf95ce6e9281c52f9718e3759056756055c3044716b285
                                                                • Instruction ID: abdfe57a44adcb4a7fb56b3c03940f37988ea06ff27ae797ed2aa23ab2066e48
                                                                • Opcode Fuzzy Hash: 1452d98877e473410baf95ce6e9281c52f9718e3759056756055c3044716b285
                                                                • Instruction Fuzzy Hash: 4EC157A290EB8A8FE7A5BF78C8955B97BE9FF05310B2401FFD45CC7093DA1898058351
                                                                Function 00007FFB4ADC9EF3 Relevance: .3, Instructions: 259COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1563580980.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4adc0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: df07ba37bc3cf373dcddc485881800f32515db43795a56593350e29c8a51ad72
                                                                • Instruction ID: 5ad02c7dcb916f6a153f76dbbd14c7c5c2ee2b7f70982dd33c1c60b53616603f
                                                                • Opcode Fuzzy Hash: df07ba37bc3cf373dcddc485881800f32515db43795a56593350e29c8a51ad72
                                                                • Instruction Fuzzy Hash: E6812CB3E0DB564FE741BF7CECA60D577A4EF11369B8801F7C4848A097ED1518268791
                                                                Function 00007FFB4AE94073 Relevance: .2, Instructions: 182COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1564063638.00007FFB4AE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4ae90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9e7dcf00b26e00f5f86059481b0aad31b35dd739e869dcce55c4377bf0e16b56
                                                                • Instruction ID: 4b7d67847642842981e160423ecc368bc28403c76d2136ac8ed465181c04d553
                                                                • Opcode Fuzzy Hash: 9e7dcf00b26e00f5f86059481b0aad31b35dd739e869dcce55c4377bf0e16b56
                                                                • Instruction Fuzzy Hash: E4510562A9CB4A4FE799BE2CD99167477E9FF94210B3801FAC06DC7593DE14EC058382
                                                                Function 00007FFB4AE94370 Relevance: .1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1564063638.00007FFB4AE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4ae90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 43e9aef9241f46fd94482023b2ea263af5c4a07544160c8b84838ba32932d2ef
                                                                • Instruction ID: fd8f6b6d0ce605d77e479304127afbc244d8d0e1aaf889a740d1355c9e3cd923
                                                                • Opcode Fuzzy Hash: 43e9aef9241f46fd94482023b2ea263af5c4a07544160c8b84838ba32932d2ef
                                                                • Instruction Fuzzy Hash: 5B411562A5DB494FE7A9FE38D8915B47BE9FF44220B2800FAD49EC7183E914EC158391
                                                                Function 00007FFB4ADC9758 Relevance: .1, Instructions: 130COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1563580980.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4adc0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 558b40867428e6cc2dfb5e585c11cbd52623405bd642420bb85133e72166500c
                                                                • Instruction ID: e0a11800bcb77e0e8f849012892ba30a88a182d648152bd66165fe2ece9b030f
                                                                • Opcode Fuzzy Hash: 558b40867428e6cc2dfb5e585c11cbd52623405bd642420bb85133e72166500c
                                                                • Instruction Fuzzy Hash: F531097191CB484FDB18DF5CAC066E97BE0FB98310F10426FE449D3292DA60A815CBC2
                                                                Function 00007FFB4ACAE383 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1563189821.00007FFB4ACAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACAD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4acad000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 451494523d82c619e6a023987bfede8db23db69a4541c69c04968816d868d0cb
                                                                • Instruction ID: 4b6073a86efaa18630b9e62d34442c0eddf404ed1c9e95a6131f64719edfe472
                                                                • Opcode Fuzzy Hash: 451494523d82c619e6a023987bfede8db23db69a4541c69c04968816d868d0cb
                                                                • Instruction Fuzzy Hash: 4D41F57040EBC48FD756DF38D845A623FF4EF52210B1905EFD088CB1A3D625A806C792
                                                                Function 00007FFB4ADCA47C Relevance: .1, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1563580980.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4adc0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0f51c69a77a8cd250e1add27d1e10543f832137233fd416164c4802b53e49f08
                                                                • Instruction ID: 38d2f73a774751c44fd9f15b875edacfa56c1ea4c90747164ad94f9c32c39c7e
                                                                • Opcode Fuzzy Hash: 0f51c69a77a8cd250e1add27d1e10543f832137233fd416164c4802b53e49f08
                                                                • Instruction Fuzzy Hash: EB21067090C74C8FEB59DF6CD88A6E97FF0EB96320F04426BD048C7156DA74A41ACB92
                                                                Function 00007FFB4AE940BF Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1564063638.00007FFB4AE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4ae90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d62037a36fe37d0b31ce41c9c13484aeff0ae4bf28db26b899d6dec3a1d22212
                                                                • Instruction ID: eabf4f6187c71a439675085b73ff5e0a245b2c7112034d38d378b897babc9553
                                                                • Opcode Fuzzy Hash: d62037a36fe37d0b31ce41c9c13484aeff0ae4bf28db26b899d6dec3a1d22212
                                                                • Instruction Fuzzy Hash: 3921C3A299DB4B4FE3A9FE29CA9117476EDFF54210B7900FAD06DC7592CE18DC048341
                                                                Function 00007FFB4AE943BC Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1564063638.00007FFB4AE90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AE90000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4ae90000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d3f9d6de3c72d9bb86f3bea2d7caa237c1b22c5269f411ff4c72d24ddb94fa43
                                                                • Instruction ID: a3371061fb892661f51c37fd86ef4f5cb315eefd660d75278d94ca5c4c75d081
                                                                • Opcode Fuzzy Hash: d3f9d6de3c72d9bb86f3bea2d7caa237c1b22c5269f411ff4c72d24ddb94fa43
                                                                • Instruction Fuzzy Hash: 7A11C1B295E74A4FE7A9FF38D5905743AEDFF4421077500F6D46EC7592D918AC008351
                                                                Function 00007FFB4ADC33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1563580980.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4adc0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction ID: 9a97f68e7be6e8429cde6423788247b8d20d4a00d8802d3417898366ae16c526
                                                                • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                                                • Instruction Fuzzy Hash: E701A77010CB0C8FDB44EF0CE051AA5B3E0FB85324F10056DE58AC3651DA36E882CB41

                                                                Non-executed Functions

                                                                Function 00007FFB4ADC8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000002.00000002.1563580980.00007FFB4ADC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_2_2_7ffb4adc0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N_^4$N_^7$N_^F$N_^J
                                                                • API String ID: 0-3508309026
                                                                • Opcode ID: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                • Instruction ID: 0722842aca15a2bf39f7580ae4ae24a0fa6c9800bff1369ddc70f0457b23fd83
                                                                • Opcode Fuzzy Hash: 2f5b78e997f032b4b8a1963d1e0a1c1ccde872ad4d7bd0ddebff894856409483
                                                                • Instruction Fuzzy Hash: 6A2146B7A082258FD3023BBCFC545D93B54DF9423034502F6D699CB183E81474AB8AE2

                                                                Executed Functions

                                                                Function 00007FFB4AEA6605 Relevance: 1.7, Strings: 1, Instructions: 428COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665993656.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4aea0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: X7Yi
                                                                • API String ID: 0-1372468389
                                                                • Opcode ID: 2af59ff46272324f5ed20fb1d704476d5108fa94961f904602c503fe303b4482
                                                                • Instruction ID: 0fe1a75a4ea8399041c5f887ad39a810d07d085f95d2cc669d7459f3bcbfc1f4
                                                                • Opcode Fuzzy Hash: 2af59ff46272324f5ed20fb1d704476d5108fa94961f904602c503fe303b4482
                                                                • Instruction Fuzzy Hash: F0C126A290EB8ACFE7A6BF78C8151B57FE9FF16214B2801FED49CC7093D91898058351
                                                                Function 00007FFB4AEA6669 Relevance: 1.6, Strings: 1, Instructions: 346COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665993656.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4aea0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: X7Yi
                                                                • API String ID: 0-1372468389
                                                                • Opcode ID: 2dcf94dc8528b11821565953d8d54b908420a49b5e930fdecdce57a7bf6694c2
                                                                • Instruction ID: ff0bf217e8d57be1dfa4e104a130c549df72157604fe32d8c30c4e6a1f51eaba
                                                                • Opcode Fuzzy Hash: 2dcf94dc8528b11821565953d8d54b908420a49b5e930fdecdce57a7bf6694c2
                                                                • Instruction Fuzzy Hash: 8EA124A281EA8ACFE7A5BF78C8141797AD9FF56314F3401FEE45CCB093DA2898058351
                                                                Function 00007FFB4ADD9780 Relevance: .1, Instructions: 127COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665266336.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4add0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1bc9e73d7e777e608d2f452cbf93034a65bb5533908328b48b19e02fc864d2c2
                                                                • Instruction ID: 72d30c673ca4c5aef0425a8a5eb413c76473e9987bb38da0e39ef1ff687f511a
                                                                • Opcode Fuzzy Hash: 1bc9e73d7e777e608d2f452cbf93034a65bb5533908328b48b19e02fc864d2c2
                                                                • Instruction Fuzzy Hash: BF31057191CB888FDB189F5CDC066A97FE0FB99310F00426FE449D3292CA75A815CBC2
                                                                Function 00007FFB4ACBE703 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1664519186.00007FFB4ACBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACBD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4acbd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3b61118578c03fb656c249e376e210c9ad1117c934c171947b20c84cb60d4038
                                                                • Instruction ID: e2419deef98f45597ba7efb97247cbbfc085ae6f415aed390385ef22b6cc4239
                                                                • Opcode Fuzzy Hash: 3b61118578c03fb656c249e376e210c9ad1117c934c171947b20c84cb60d4038
                                                                • Instruction Fuzzy Hash: ED4123B140DBC08FE3969F38AC559523FF4EF52320B1901DFD088CB5A3D625A846C7A2
                                                                Function 00007FFB4ADDA49C Relevance: .1, Instructions: 97COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665266336.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4add0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e0e0e9285d57a972d47baf5cd568b10d1bfc08ccd27b28bb50b78751571372a3
                                                                • Instruction ID: e0023d7c2f00e3686383065f792c7846801824085ce515cd60a882053e08e4b3
                                                                • Opcode Fuzzy Hash: e0e0e9285d57a972d47baf5cd568b10d1bfc08ccd27b28bb50b78751571372a3
                                                                • Instruction Fuzzy Hash: DE21E67190CB4C8FDB59DF6C984A7E97FE0EB96321F04816BD448C3162DA74A816CB92
                                                                Function 00007FFB4ADD33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665266336.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4add0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction ID: 597e1b03a2328615b4f1b2cb0761a008bc78786bd7dbac4aa73e6621c906a8c1
                                                                • Opcode Fuzzy Hash: 08da065673a25bdeb927b4c2f952ba14616e05d90be0e25124618a69153761d0
                                                                • Instruction Fuzzy Hash: 7701677111CB0C8FD744EF0CE451AA5B7E0FB95364F10056DE58AC3655DB36E892CB45
                                                                Function 00007FFB4AEA4148 Relevance: .0, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665993656.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4aea0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5130b9c105512e0c0c2b5b283093cdc442c811efce78f7d0291df05a4cb78d2f
                                                                • Instruction ID: ffac110077b5f186371e850ff94b6a23383c5ac602daadc422c291c122d7f9aa
                                                                • Opcode Fuzzy Hash: 5130b9c105512e0c0c2b5b283093cdc442c811efce78f7d0291df05a4cb78d2f
                                                                • Instruction Fuzzy Hash: ADF06772A8D5058FD759FF6CE4418A877E4FF64320B2100FAE06DC7963CA2AEC418B91
                                                                Function 00007FFB4AEA43FB Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665993656.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4aea0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f8ca72e307e1578495477454cc6d710b157792d34a1a920cc7c391d8811497b0
                                                                • Instruction ID: d2f52c5ec7c2a57ebc9cb04834c3c1a1e09ddc636987b86a063c564dfedc8b9a
                                                                • Opcode Fuzzy Hash: f8ca72e307e1578495477454cc6d710b157792d34a1a920cc7c391d8811497b0
                                                                • Instruction Fuzzy Hash: C5F06772A4D5458FD755FF28E4418A877E4FF44320B2100F6E06ACB863DA2AAC418B60
                                                                Function 00007FFB4AEA41D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665993656.00007FFB4AEA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEA0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4aea0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: 5b03644bf77631a4b7d386f3df65da1a414f9cccc93a526f441bc6fcd0167e63
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: F0E01A31B8C808CFDA68EE0CE1409A973E5FBA832172101F7D15EC7962CA22EC518B80
                                                                Function 00007FFB4ADDA11F Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665266336.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4add0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66a6d630f4e5804b28988d6aaee8dfba6d93273de56fd7a6639f2feb141a6bf4
                                                                • Instruction ID: b41ffb8f3526b36d4f8d0c99cc8292bfed07bfeb87cd3b71a986d684d332d18d
                                                                • Opcode Fuzzy Hash: 66a6d630f4e5804b28988d6aaee8dfba6d93273de56fd7a6639f2feb141a6bf4
                                                                • Instruction Fuzzy Hash: E8E0B635414A4C8F8B49EF18D8599E97BA0FB69205B01429BE81DC7120DB719A58CBC2

                                                                Non-executed Functions

                                                                Function 00007FFB4ADD8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000005.00000002.1665266336.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_5_2_7ffb4add0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: M_^8$M_^<$M_^?$M_^J$M_^K$M_^N$M_^Q$M_^Y
                                                                • API String ID: 0-962139525
                                                                • Opcode ID: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                • Instruction ID: 187effe4f67ea60da1472855e96bc5b7f94cf9754118774b3596ae59cf6fcf87
                                                                • Opcode Fuzzy Hash: 78afc6692382add72f29a453e46cef919c850fcb415a89dede20db3bf3140953
                                                                • Instruction Fuzzy Hash: 1E21D7B3604615CBD202367CF8819DC7794DF5437938603F7E829CF193ED1868A78AA1

                                                                Executed Functions

                                                                Function 00007FFB4AEB39D1 Relevance: 2.2, Strings: 1, Instructions: 924COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1825443310.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aeb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: J_H
                                                                • API String ID: 0-326533465
                                                                • Opcode ID: 6d78c90df1e1f84d80b3e0dbd21b75430d95572cb96f98021b98c043aeb397a3
                                                                • Instruction ID: 7f3e176563437e5f92f3aff1be611f3cc10ba51938272afeae7a69cd050714c7
                                                                • Opcode Fuzzy Hash: 6d78c90df1e1f84d80b3e0dbd21b75430d95572cb96f98021b98c043aeb397a3
                                                                • Instruction Fuzzy Hash: C94246A2A4DB8A4FE396FE38D85A1A47BD5FF46210B2801FBD09DC75D3DD189C068391
                                                                Function 00007FFB4AEB6605 Relevance: .4, Instructions: 406COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1825443310.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aeb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7001144c3b4be14f046c9a0bba89d5cb0f6d3837052a49c813403e9acb0457e1
                                                                • Instruction ID: cb9edcbd2a1afd88ea58f69e88a4fb54ed28611c63f1a0cea2ccd3adec177cf7
                                                                • Opcode Fuzzy Hash: 7001144c3b4be14f046c9a0bba89d5cb0f6d3837052a49c813403e9acb0457e1
                                                                • Instruction Fuzzy Hash: D5C106A2D0EA8A8FE796FF78C8195B57BE5FF15214B2801FED49CC70D3DA2898058351
                                                                Function 00007FFB4AEB4048 Relevance: .4, Instructions: 366COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1825443310.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aeb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bb587f2ffc03a92daa4b581b0ee91ff479a89cb8fe00ab66ba5325ec5b6a1ee4
                                                                • Instruction ID: 7cb8382e5ed74aaafe57e22cb5194df112db5e5ae1e12c5a392c4d69c7d0053b
                                                                • Opcode Fuzzy Hash: bb587f2ffc03a92daa4b581b0ee91ff479a89cb8fe00ab66ba5325ec5b6a1ee4
                                                                • Instruction Fuzzy Hash: D8B147A294DB894FE356FE3C98191B43FE5EF52220B2901FBD19DC71D3D918AC068352
                                                                Function 00007FFB4AEB6664 Relevance: .3, Instructions: 347COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1825443310.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aeb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16db379810dc768be7318bcb2bdc5f42dd2e0ba12c612cc8a4cb5b55d4b30c08
                                                                • Instruction ID: 5297abe362821b760155512d4fee86eee29101fd0ef21fe995b3fcc271835ba9
                                                                • Opcode Fuzzy Hash: 16db379810dc768be7318bcb2bdc5f42dd2e0ba12c612cc8a4cb5b55d4b30c08
                                                                • Instruction Fuzzy Hash: DDA112A2D4EA8A8FE7A5FF78C8191757AD5FF05310F2401FAE49CC70D3DA2898058391
                                                                Function 00007FFB4ADE9FF3 Relevance: .1, Instructions: 144COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1824413858.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4ade0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 49e307541acc175e4852e3cc001fee58be0efd5382ed042c994269fbc86a104a
                                                                • Instruction ID: f722a0caeadeb82bf267f4ef69417521f7ed1bd466693bfbc642a4848435aa46
                                                                • Opcode Fuzzy Hash: 49e307541acc175e4852e3cc001fee58be0efd5382ed042c994269fbc86a104a
                                                                • Instruction Fuzzy Hash: 1D41FCE7D0DA934FE302BF7CE8A20E53F90EF51266B5801F7D4888A097ED1528578691
                                                                Function 00007FFB4ADE9738 Relevance: .1, Instructions: 143COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1824413858.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4ade0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ce4852222233ecc31a4d4d2ee09781898b83b7e423f0d2a1b1eaf2a448ad9efb
                                                                • Instruction ID: db32560b578b5d36bc291b48daa052c0031d42e79b8a43a4e68ad006481941b5
                                                                • Opcode Fuzzy Hash: ce4852222233ecc31a4d4d2ee09781898b83b7e423f0d2a1b1eaf2a448ad9efb
                                                                • Instruction Fuzzy Hash: B2412971A1CF885FDB58EF5CDC466A9BBE0FB94311F10816FE049C3286DA24A855CBC2
                                                                Function 00007FFB4ACCE540 Relevance: .1, Instructions: 122COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1823479999.00007FFB4ACCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACCD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4accd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 882996ac04384b8042f004492d345051889509f44a9bbc6747ed66c9fc15b3b7
                                                                • Instruction ID: adba02ea6fd87f6c85d7ef390334de22aaad5fba404d5bf62abc8a38a064f882
                                                                • Opcode Fuzzy Hash: 882996ac04384b8042f004492d345051889509f44a9bbc6747ed66c9fc15b3b7
                                                                • Instruction Fuzzy Hash: A941D07040DBC48FE796DF389C459523FF4EB52220B1906EFD088CB5A3D629A846C792
                                                                Function 00007FFB4ADEA505 Relevance: .1, Instructions: 106COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1824413858.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4ade0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f0556b461b21c753c1b18c6dbb188e12423722a35a7eb27aeee304351e9851ee
                                                                • Instruction ID: 932117a2834d3ad793ca688a2af296c9f04cdccf02884ad5a6347e0be6fb5f5c
                                                                • Opcode Fuzzy Hash: f0556b461b21c753c1b18c6dbb188e12423722a35a7eb27aeee304351e9851ee
                                                                • Instruction Fuzzy Hash: C931F67190CB8C4FDB59DF68D84A6EA7FF0EB96321F0481AFD448C7163D624681AC792
                                                                Function 00007FFB4AEB40BF Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1825443310.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aeb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c03e1a1165735afe17436b6c243b3feff2d86cea79faeb38547f71d8a45acf0f
                                                                • Instruction ID: cd37a300fb760ac4a61dde0f758c55d2416de6091f617fc211753cf4a2a8d19c
                                                                • Opcode Fuzzy Hash: c03e1a1165735afe17436b6c243b3feff2d86cea79faeb38547f71d8a45acf0f
                                                                • Instruction Fuzzy Hash: 9E21C0A2D9DA474FE3A9FE28D65913466D5FF64210F7800FAD66DC71E2CD18DC058242
                                                                Function 00007FFB4ADEA54C Relevance: .1, Instructions: 95COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1824413858.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4ade0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 457f111b9c807471da7b9ecfe2a2f1f08a90feb4bc1c2601ae71b76a9c30f9f8
                                                                • Instruction ID: ef60c6ab47fc8e65d441bc4aa9833dcf1b06a9bacda99a5ec93f4a054b43a442
                                                                • Opcode Fuzzy Hash: 457f111b9c807471da7b9ecfe2a2f1f08a90feb4bc1c2601ae71b76a9c30f9f8
                                                                • Instruction Fuzzy Hash: FA21F27190CA0C8FDB58DF9CD88A7EA7BE4EB95321F00816FD449C3252D674A81ACB91
                                                                Function 00007FFB4AEB43BC Relevance: .1, Instructions: 63COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1825443310.00007FFB4AEB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEB0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4aeb0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 72ee4a9e313999f4cefad2b67ccf7abb8e609dd74bb63bc93ba7ffe90f2644e3
                                                                • Instruction ID: 0150c010154c9eedecd16e652f650e3d8f1b0e4a565890a9129591c7d02a4b38
                                                                • Opcode Fuzzy Hash: 72ee4a9e313999f4cefad2b67ccf7abb8e609dd74bb63bc93ba7ffe90f2644e3
                                                                • Instruction Fuzzy Hash: 071123B295E6464FE7A5FF2CD5585B83AE5FF0422073800FAD6ADC71D2D918AC108351
                                                                Function 00007FFB4ADE33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1824413858.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4ade0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction ID: 32612c52a15e36f45895d17d4a670a9e6443dab9b18759698d7859eecb78e10c
                                                                • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                                                • Instruction Fuzzy Hash: 2401677111CB0C8FD744EF0CE451AB6B7E0FB95364F10056DE58AC3655DA36E892CB45

                                                                Non-executed Functions

                                                                Function 00007FFB4ADE8995 Relevance: 5.1, Strings: 4, Instructions: 144COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1824413858.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4ade0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^$L_^$L_^$L_^
                                                                • API String ID: 0-2357752022
                                                                • Opcode ID: 427ee820b22c13b6675cf56d7b0801457dca8a89f725bec2635d09802ff10d19
                                                                • Instruction ID: defecdca1a41c9d127c7917256bb968147db89610b7b25ac1347f51fde90c2a0
                                                                • Opcode Fuzzy Hash: 427ee820b22c13b6675cf56d7b0801457dca8a89f725bec2635d09802ff10d19
                                                                • Instruction Fuzzy Hash: 9E41B9E3A0EBC21FE3465E7989650EE7FA4FF52254B1D41F7C1C88B083E919191BC252
                                                                Function 00007FFB4ADE8BFA Relevance: 5.1, Strings: 4, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.1824413858.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_7ffb4ade0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: L_^4$L_^7$L_^F$L_^J
                                                                • API String ID: 0-3225005683
                                                                • Opcode ID: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                • Instruction ID: cc94c5bfc2baa8c7866c676b51a0ad6dea904ae2639a38f2cfc7c2caf520fda5
                                                                • Opcode Fuzzy Hash: 02d8dffb2fc30e881c9c0a44405cd32b71f90e60e1d62c3e6a1fe4010585dcda
                                                                • Instruction Fuzzy Hash: 262101B76086259ED2027BBDF8445ED3768CB9423434552F6DA998B083EA1474AB8AF0

                                                                Executed Functions

                                                                Function 00007FFB4AEC6605 Relevance: .4, Instructions: 450COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2035158555.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4aec0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 601a9296146179fe2df45442d078463f13a2259380587a9542dc28e64026a388
                                                                • Instruction ID: c60d948ecdc48d058a03a6fd9de6ea23fcf77c0598137c672288e23291325aec
                                                                • Opcode Fuzzy Hash: 601a9296146179fe2df45442d078463f13a2259380587a9542dc28e64026a388
                                                                • Instruction Fuzzy Hash: 59D125B290EB898FE7A6BF78C8595B67BE5FF05210B2801FED49CC7193DA189805C351
                                                                Function 00007FFB4ADFA0E0 Relevance: .3, Instructions: 260COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2033911944.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4adf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 65a4e5e385b66304faa32f9852f93fd6987624fd81fe04fbe9d0bd56e5adc918
                                                                • Instruction ID: f2e03359050696db0f6f8ebbcdb0cd97dbbdf5b9521c77eedbf42eeb9d38cdd0
                                                                • Opcode Fuzzy Hash: 65a4e5e385b66304faa32f9852f93fd6987624fd81fe04fbe9d0bd56e5adc918
                                                                • Instruction Fuzzy Hash: 84216DA690E7C94FD743AB3898A51D57FB0EF2311570901EBD489CB0B3D9185909C7A2
                                                                Function 00007FFB4ADF9780 Relevance: .1, Instructions: 128COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2033911944.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4adf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 77cd807e992647f54bbde66e81d55859abb23342d1eabf7cbad50a5ae36056b1
                                                                • Instruction ID: 08372d5d4ae1f4ac6a9e9f11cfdad06a4f6fb934032e9d11d9ce9f57b40799a8
                                                                • Opcode Fuzzy Hash: 77cd807e992647f54bbde66e81d55859abb23342d1eabf7cbad50a5ae36056b1
                                                                • Instruction Fuzzy Hash: 2131E77191CB888FDB189F5C9C0A6A97BF0FB99311F04426FE449D3292CA70A815CBC6
                                                                Function 00007FFB4ACDED40 Relevance: .1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2032576445.00007FFB4ACDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ACDD000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4acdd000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 253bd2a7dfbcfbca77fda114fcb11e3ca92af632ffd31cfc3930e099ca7a5982
                                                                • Instruction ID: 97a2e1f22728737b3c0a5c95a02acef8948741483d264a4e12874b57f5b4c6ac
                                                                • Opcode Fuzzy Hash: 253bd2a7dfbcfbca77fda114fcb11e3ca92af632ffd31cfc3930e099ca7a5982
                                                                • Instruction Fuzzy Hash: DF41C37040DBC48FE796DF28DC419923FF4EF56224B1905DFD088CB5A3D625A846C7A2
                                                                Function 00007FFB4ADFA6D5 Relevance: .1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2033911944.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4adf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4fa2caa70ab75eb0490f5ba10414e5b567d5764f2b024a15a6ef5a56e4d3528c
                                                                • Instruction ID: 7c94d90712781219b0a3157ddcca3a04367f91e6254ab2146c5bca792b6173be
                                                                • Opcode Fuzzy Hash: 4fa2caa70ab75eb0490f5ba10414e5b567d5764f2b024a15a6ef5a56e4d3528c
                                                                • Instruction Fuzzy Hash: F931F47190CB884FDB19DF68984A6E97FF0EB96320F0441AFD448C7163D624681ACB92
                                                                Function 00007FFB4ADFA71C Relevance: .1, Instructions: 96COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2033911944.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4adf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c268fd1c7f6dbea51088e002b81ef5b486fb0aded9cf473ddbf1f53ad90009dc
                                                                • Instruction ID: 1b16787fd0e559ec9b8984e121aa6c484d8b2ed6018a8dd8f2641bea3763e607
                                                                • Opcode Fuzzy Hash: c268fd1c7f6dbea51088e002b81ef5b486fb0aded9cf473ddbf1f53ad90009dc
                                                                • Instruction Fuzzy Hash: DF21D37190CA4C8FDB58DF9CD84A7E97BE4EBA5321F00416FD449C3152D674A81ACB91
                                                                Function 00007FFB4ADF33B5 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2033911944.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4adf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction ID: 4f6bc8432e5228d4233df3ba803cd00d721fd53027c04a377397fecbef66d5ae
                                                                • Opcode Fuzzy Hash: 582908582f657131c1f04ed76f34d09c60f6b2c2f8b724a61ceffa3ac25bcdd6
                                                                • Instruction Fuzzy Hash: E501677111CB0C8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3655DA36E892CB45
                                                                Function 00007FFB4AEC414D Relevance: .0, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2035158555.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4aec0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f3928ff8028a69949dc7c9239d13ddb2db15bde07dd68c7ffc031366fe8dc092
                                                                • Instruction ID: ffabcee9f93ed89fdb7799fd38532aa4c99bd60318187c506c478812e48aadc2
                                                                • Opcode Fuzzy Hash: f3928ff8028a69949dc7c9239d13ddb2db15bde07dd68c7ffc031366fe8dc092
                                                                • Instruction Fuzzy Hash: 74F09A32A8D6048FD759FE6CE4454A877E4FF5432072500FAE1ADC7567CA26EC418B90
                                                                Function 00007FFB4AEC4400 Relevance: .0, Instructions: 35COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2035158555.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4aec0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: aaee0a38278400b1f064ed10404672be87e2bd4b8ab98af1f70ea34f728f17d3
                                                                • Instruction ID: 30d3705d8cf9f450c0bf9e3212b6443c310e99410b153e1645c079641cb606b0
                                                                • Opcode Fuzzy Hash: aaee0a38278400b1f064ed10404672be87e2bd4b8ab98af1f70ea34f728f17d3
                                                                • Instruction Fuzzy Hash: 5BF09A72A4D5448FD755BE68E0454A877E4FF0432072500F6E15EC7567DA26AC418B60
                                                                Function 00007FFB4AEC41D1 Relevance: .0, Instructions: 29COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2035158555.00007FFB4AEC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4AEC0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4aec0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction ID: 164ef53ba8b696e72d594f36deb671658ec381161fa49f1f339a6ecaf341e5b3
                                                                • Opcode Fuzzy Hash: 05dd94a12dc45e8f7da9c60e7e1a12ab84c0b153eba5a8a472aa7bc71ce4f1d8
                                                                • Instruction Fuzzy Hash: 62E01A31B8C9088FDA68EE0CE1449F973E5FB9833172101F7D19EC7566CA22EC518B80
                                                                Function 00007FFB4ADF78CD Relevance: .0, Instructions: 20COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2033911944.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4adf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 339665c6408c02bb72069e651ee242ff6a066595abf9c25ad2c1679319278aa1
                                                                • Instruction ID: 49722811ac719c5b279a461c13d0891d7f228e4d7ca84196b67a2f70a84798cc
                                                                • Opcode Fuzzy Hash: 339665c6408c02bb72069e651ee242ff6a066595abf9c25ad2c1679319278aa1
                                                                • Instruction Fuzzy Hash: 76E0CD6034D6C64FD345997CE0407FA7681DF85310F54147DF4CD83387D64D59415352

                                                                Non-executed Functions

                                                                Function 00007FFB4ADF8BF2 Relevance: 10.1, Strings: 8, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 0000000A.00000002.2033911944.00007FFB4ADF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_10_2_7ffb4adf0000_powershell.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: K_^8$K_^<$K_^?$K_^J$K_^K$K_^N$K_^Q$K_^Y
                                                                • API String ID: 0-2350917820
                                                                • Opcode ID: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                • Instruction ID: 4cbacb9686d4d1f44c31ae394bda1626e151132465c60d0af2673b7e3f21ca17
                                                                • Opcode Fuzzy Hash: 227aa69b1fbc1c82fa311b63e9fce6667358cd8e78cee4ad2729eeab0005292d
                                                                • Instruction Fuzzy Hash: 1C2138B3A086159BCA023B7CF8825D877A8DF5437834502F7E818CF053DD14A9EB86A0

                                                                Executed Functions

                                                                Function 00007FFB4ADE1689 Relevance: .7, Instructions: 669COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a024bac81c4b812183561c435152ed5acd9a1f66340808ad0177ce544084d07a
                                                                • Instruction ID: d695a231d71663bb917eee979f6a9e91667b63e80c0a635d03a28a73df2abe80
                                                                • Opcode Fuzzy Hash: a024bac81c4b812183561c435152ed5acd9a1f66340808ad0177ce544084d07a
                                                                • Instruction Fuzzy Hash: F322B2A0B2DE495BE794FF38C4592BA77D6FF98314F5401B9E44EC36C2DE28A8418741
                                                                Function 00007FFB4ADE16C9 Relevance: .6, Instructions: 570COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be1a45e22999d340f853fcdc1c19998f1ae131c2c71beb0b23fa9786e60fbdb3
                                                                • Instruction ID: 2858387efb612be5d2094661a99e4fe547803bbe92568c15fa173ad99a3d5c3f
                                                                • Opcode Fuzzy Hash: be1a45e22999d340f853fcdc1c19998f1ae131c2c71beb0b23fa9786e60fbdb3
                                                                • Instruction Fuzzy Hash: 2E02A1A0B2DE4A5FE799FF38C4592B976D6EF98300F5401B9E44EC36C6DD28AC418741
                                                                Function 00007FFB4ADE1195 Relevance: .6, Instructions: 574COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f21771c7a4f66b4c810a7a57de07e7ac96e6ff1d9ea9519919727ed54242ecae
                                                                • Instruction ID: 8dd7f85cfd053e6ff88001235fbf07f1815054ecd2ad21dbd99f020eb1566d2e
                                                                • Opcode Fuzzy Hash: f21771c7a4f66b4c810a7a57de07e7ac96e6ff1d9ea9519919727ed54242ecae
                                                                • Instruction Fuzzy Hash: AF41AFA6A0EBCA5FD742EF78DCA51EA7FB0EF56210B0901FBD185CB1D3D92818068351
                                                                Function 00007FFB4ADE11F2 Relevance: .5, Instructions: 544COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9509281b5755e218841e1e531729fe9aee8e3c324fbd49bdd58f7ae69f0ae490
                                                                • Instruction ID: 7e91060569456c00e2c7e48fe280511e7e013b385df4dfbd8017d871467c44ee
                                                                • Opcode Fuzzy Hash: 9509281b5755e218841e1e531729fe9aee8e3c324fbd49bdd58f7ae69f0ae490
                                                                • Instruction Fuzzy Hash: 6021C5A6F19E8A5FE745FFB8CC651FA7BA5FF58200F5401FAE549861D2DD2428028780
                                                                Function 00007FFB4ADE0C3E Relevance: .2, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ec461ccc3b797618f0bb813d5d55dacad98c048c63fa3fc352d99116fb078fa7
                                                                • Instruction ID: dc0e705520b145f423413dcfccfb33a7d3faa6e4924d3cdc9ddd192c0ff86389
                                                                • Opcode Fuzzy Hash: ec461ccc3b797618f0bb813d5d55dacad98c048c63fa3fc352d99116fb078fa7
                                                                • Instruction Fuzzy Hash: 3A511561A0EA861FE357AB3888561793FE5DF87210B1940FBD88DC7593DC1CAC46C362
                                                                Function 00007FFB4ADE0AD1 Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ee9e51f2bf9d5271ef646d13a8015c0ffd7266da76dd307165b0a5f0c6279b95
                                                                • Instruction ID: f2d6ad68c9479a87d32699fa8b24c80176c8617395c5d97341d9c1cb33fc0b37
                                                                • Opcode Fuzzy Hash: ee9e51f2bf9d5271ef646d13a8015c0ffd7266da76dd307165b0a5f0c6279b95
                                                                • Instruction Fuzzy Hash: C631D1A1B1DE095BF745BBB8C85A2BD77D5EB98301F0402FAE40DC36D3DD2898028391
                                                                Function 00007FFB4ADE0985 Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 66c5c6608108d4bdb404e0e20cc3e373e48806f75d3a27e224dc5ca642a1992c
                                                                • Instruction ID: 78214b5732346d07564fb79c967a9711bab5a171b102f320ef8b55386ac82a2a
                                                                • Opcode Fuzzy Hash: 66c5c6608108d4bdb404e0e20cc3e373e48806f75d3a27e224dc5ca642a1992c
                                                                • Instruction Fuzzy Hash: 30316074A19A0D8FEB45FF78C8956AA77A5FF98300F5005B9D409D36C6CE38A851C750
                                                                Function 00007FFB4ADE1F49 Relevance: .1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 594abf133d20a42770c71edc2ab17ddd62988565a4165305d1c975503a1676e7
                                                                • Instruction ID: a39659e73068f296cde7b1a25c77a31d1c2ed0861ed83ab7352a5cd7dbed6a9b
                                                                • Opcode Fuzzy Hash: 594abf133d20a42770c71edc2ab17ddd62988565a4165305d1c975503a1676e7
                                                                • Instruction Fuzzy Hash: 77217C61B1DA494FE789FF3C945A279B6C2EB98301F0405BEE44EC3293DE68AC429345
                                                                Function 00007FFB4ADE0855 Relevance: .1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 10dc7c6350a2ca86c1a5b1f61ee55b25033c3e616f5cda04ff0e7f1805fb0ea5
                                                                • Instruction ID: 5c1be8e36b60a8da15e15df3804c4855811fcb6997da166a19e55b277eac9a8c
                                                                • Opcode Fuzzy Hash: 10dc7c6350a2ca86c1a5b1f61ee55b25033c3e616f5cda04ff0e7f1805fb0ea5
                                                                • Instruction Fuzzy Hash: CE31C064A1DB8D8FE391FF28C4E45A97F65EF98304B9040EAD84883BCACD386D11C795
                                                                Function 00007FFB4ADE2041 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8e1027e481c5935b6351a71abf2bc95206c5e5264981dc085f9b074a82c8352c
                                                                • Instruction ID: aa4de317d46974cf0e2445e63faae945fa20df8c4668147efc2c3288311910a7
                                                                • Opcode Fuzzy Hash: 8e1027e481c5935b6351a71abf2bc95206c5e5264981dc085f9b074a82c8352c
                                                                • Instruction Fuzzy Hash: 27014755A0DB811FF751BE3888555337FE4CBD2300B1801FBE88DCA0D7E8086941C392
                                                                Function 00007FFB4ADE1190 Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 577b3a23c8494824ee4b5fc5d3fd8699d18584aa9db9da7163247870c5614df2
                                                                • Instruction ID: aa15dd6a5f3d057eb664dbedb6c49d002ec3741401b10f896212b32f334c63ce
                                                                • Opcode Fuzzy Hash: 577b3a23c8494824ee4b5fc5d3fd8699d18584aa9db9da7163247870c5614df2
                                                                • Instruction Fuzzy Hash: 31D02B72F18D190FD294DD2CE005166F7D4DB5825071800BFE458D2160C4640C014381

                                                                Non-executed Functions

                                                                Function 00007FFB4ADE06FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000010.00000002.2176285059.00007FFB4ADE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADE0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_16_2_7ffb4ade0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: <M_^$=M_^$M_^j$M_^p
                                                                • API String ID: 0-3547729567
                                                                • Opcode ID: ec61180bff1e44672a3cc5202a96d3f8fb8ca421c190a43fa596d545f7923e44
                                                                • Instruction ID: d4c5c367dee1948890dd9b87c8963e1313ff6ae24273775f866a7d30a911665e
                                                                • Opcode Fuzzy Hash: ec61180bff1e44672a3cc5202a96d3f8fb8ca421c190a43fa596d545f7923e44
                                                                • Instruction Fuzzy Hash: 483169E7B8D956DAF2033ABCE4821EA3798DF5032475942F6C8ADCA4C3DC18245795F1

                                                                Executed Functions

                                                                Function 00007FFB4ADD1689 Relevance: .7, Instructions: 669COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 437579c1e9cca9e8a5be6921292de94782d0f40a00fe798fa7a44a8cc668978e
                                                                • Instruction ID: 12a2dcae3eb826e1130ba80262464750c894fd2554fcad8d22763284af45eaac
                                                                • Opcode Fuzzy Hash: 437579c1e9cca9e8a5be6921292de94782d0f40a00fe798fa7a44a8cc668978e
                                                                • Instruction Fuzzy Hash: 13229EA1B2DB4A4BE798FF3CD459279B7D6EF98310F5405BDE44EC3292DE28A8418341
                                                                Function 00007FFB4ADD16C9 Relevance: .6, Instructions: 570COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 10dac58af747bcbe03dd1cfdd97b2a92d6c5941a7ebbdc2188f16468625a48db
                                                                • Instruction ID: aa65026871cb41a6c77110e970e141b8dd64f3520b0d095a31138947247d1726
                                                                • Opcode Fuzzy Hash: 10dac58af747bcbe03dd1cfdd97b2a92d6c5941a7ebbdc2188f16468625a48db
                                                                • Instruction Fuzzy Hash: 4C0291A1B1EB4A4BE799FF3CD46927976D2FF98300B5405BDE44EC32D6DE28A8418341
                                                                Function 00007FFB4ADD0855 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: \
                                                                • API String ID: 0-2967466578
                                                                • Opcode ID: 4f20e7105726c8ae32390598027da6fa8a1a5c160a9e1dc96c60e3f8682115b4
                                                                • Instruction ID: 5e94564be2b801000e7ca72ad97f3a6da8c98cf53024e75b1b08b336fa2e1fd4
                                                                • Opcode Fuzzy Hash: 4f20e7105726c8ae32390598027da6fa8a1a5c160a9e1dc96c60e3f8682115b4
                                                                • Instruction Fuzzy Hash: 9331B0A1A5EB4D8FE351FF2CD0A65A87F61EF94200B9040EDD808C7BCACE345901C791
                                                                Function 00007FFB4ADD1195 Relevance: .6, Instructions: 574COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e0f43069cf90f20b870c0ec7c14fc8a89ab352436eb805590e9105d3f4fa82fe
                                                                • Instruction ID: f5d9a7bb03d08abcd6dc5f1a24cb4cc14a0814cebf184685866f58073fc7b015
                                                                • Opcode Fuzzy Hash: e0f43069cf90f20b870c0ec7c14fc8a89ab352436eb805590e9105d3f4fa82fe
                                                                • Instruction Fuzzy Hash: 5341B3A2E0E7964FD742EFB8D8A52E97FB4FF46210B5900FBD485CB1D3D92858058750
                                                                Function 00007FFB4ADD11F2 Relevance: .5, Instructions: 544COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4a9960b0fe32c4e76345c0a260fa903cb231c77489d7728ed2e43cd3ce054722
                                                                • Instruction ID: f54a236e7aec889fa89434ad04d1c517ebfd947e6ea4a36262de3e64f3162674
                                                                • Opcode Fuzzy Hash: 4a9960b0fe32c4e76345c0a260fa903cb231c77489d7728ed2e43cd3ce054722
                                                                • Instruction Fuzzy Hash: D121D7A3F1DA5B4BE744FFB8C8A51F97BA5FF58200F5400BAD44AC61D2DD2868028390
                                                                Function 00007FFB4ADD0C3E Relevance: .2, Instructions: 179COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ee87218ba1f94b1a4af0e67ce6163946c34476dd504e3837ee5023d7995c5363
                                                                • Instruction ID: c43d878a934e960fe750da5490e9ca3847dcb95698852d2e1a20b7ee914b48ee
                                                                • Opcode Fuzzy Hash: ee87218ba1f94b1a4af0e67ce6163946c34476dd504e3837ee5023d7995c5363
                                                                • Instruction Fuzzy Hash: 0C511561A0EB8A0FE357AB3C98562757FE5DF87210B0940FBD889C7593DC1C9C468362
                                                                Function 00007FFB4ADD0AD1 Relevance: .1, Instructions: 131COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf765adbd4a47191199b38fdf0fd10045bbbb5cb19d0e170f95cb7f4a02122e8
                                                                • Instruction ID: 77ec3fc6afefa836eb3337dbe0b35650920449863b25ec8f752e5170253cef50
                                                                • Opcode Fuzzy Hash: bf765adbd4a47191199b38fdf0fd10045bbbb5cb19d0e170f95cb7f4a02122e8
                                                                • Instruction Fuzzy Hash: E531C2A1B1DA0A4BF745BFB8D85A3BD77D5EF98351F0401BAE40DC32D6DD2899028391
                                                                Function 00007FFB4ADD0985 Relevance: .1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4f972d63bfe8a5473f1d41c17c2f37914da59aad48abe54860e1b4b455faee28
                                                                • Instruction ID: c255e78e64578c13475a03bd8904faa8ff0c62c83e579c2d245385e15582a225
                                                                • Opcode Fuzzy Hash: 4f972d63bfe8a5473f1d41c17c2f37914da59aad48abe54860e1b4b455faee28
                                                                • Instruction Fuzzy Hash: C6318EB1A19B098FEB44FFBCD4656AD77A1FF98301F5005B9D409D7286CE38A802C750
                                                                Function 00007FFB4ADD1F49 Relevance: .1, Instructions: 104COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: be60bb7288de05669512c988dce1fd8b0e9881a5cc34f0f65e27e20bddfd49f8
                                                                • Instruction ID: 722dfd9f9743379da4358c85520b4e0bbf939670646331dd97d733743d7cfb4b
                                                                • Opcode Fuzzy Hash: be60bb7288de05669512c988dce1fd8b0e9881a5cc34f0f65e27e20bddfd49f8
                                                                • Instruction Fuzzy Hash: 45216B61B1DA494FE789EF3C945A279B2D2EB98301F0405BEE44EC3293DE28AC429345
                                                                Function 00007FFB4ADD2041 Relevance: .0, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 56e29e00e839c0038a0fd447422db9f7f4fee89912c02c4efba5cffba004f405
                                                                • Instruction ID: cedd15992d4cf5658801fddb68a2de1d4258f866cd2193e3c6852262dd1c6389
                                                                • Opcode Fuzzy Hash: 56e29e00e839c0038a0fd447422db9f7f4fee89912c02c4efba5cffba004f405
                                                                • Instruction Fuzzy Hash: 340147A5E0D7810FF342BE3C98545327FE4CFD5201B1805FEE889CB097E8089946C392
                                                                Function 00007FFB4ADD1190 Relevance: .0, Instructions: 22COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c93b1834f4da2f80c11026ec2957e2097b8c4f6bbe561a4ac391681cef599bd6
                                                                • Instruction ID: 2e9c7642f40deb8b148cd6efc88ffd8f01a686e4761d8a7e59d7c0714ef69d46
                                                                • Opcode Fuzzy Hash: c93b1834f4da2f80c11026ec2957e2097b8c4f6bbe561a4ac391681cef599bd6
                                                                • Instruction Fuzzy Hash: A4D02B72E088190FD2A49D2CE009165F7D0EB48250B2801BBE458D2164C56418014381

                                                                Non-executed Functions

                                                                Function 00007FFB4ADD06FA Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000011.00000002.2258542649.00007FFB4ADD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFB4ADD0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_17_2_7ffb4add0000_svchost.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: <N_^$=N_^$N_^j$N_^p
                                                                • API String ID: 0-2936155160
                                                                • Opcode ID: ff194760e152e91f3d086a4d1335474c69f3dc0f4e6bfd16874578e4c79e5866
                                                                • Instruction ID: 7c0fbad1fc303ff4e781a74c15bf2777f124bd7fc22d0f766236548ee82d3a2d
                                                                • Opcode Fuzzy Hash: ff194760e152e91f3d086a4d1335474c69f3dc0f4e6bfd16874578e4c79e5866
                                                                • Instruction Fuzzy Hash: EC3129E7B4D5169AF3033ABCF9911E82798DF8036572844BACA9ECE1C3CC14645B56B2